9995a1c9ecf2a84bb9da752dfc43cbe8_sys

1. Type Mode/Class Details (Path/Message/Protocol/Hostname/Qtype/ListenPort etc.) Process ID Parent ID File Size
2. Analysis
3. Malware
4.  
5.  
6. Application
7.  
8.  
9. 3 Repeated items skipped
10. Config Update
11.  
12.  
13. Uac
14. Service
15.  
16. Windows Image Acquisition (WIA)
17.  
18. Uac
19. Service
20.  
21. Multimedia Class Scheduler
22.  
23. Process
24. Started
25.  
26. C:\Users\Administrator\AppData\Local\Temp\factura.exe
27. Parentname: C:\Windows\explorer.exe
28. Command Line: "C:\Users\ADMINI~1\AppData\Local\Temp\factura.exe"
29. MD5: 9995a1c9ecf2a84bb9da752dfc43cbe8
30. SHA1: d54dcd18d30fc944347b994376282c9ec1b7467d
31. 604 1676 1206863
32. File
33. Failed
34.  
35. C:\Windows\System32\WOW64LOG.DLL
36. 604
37. Mutex
38.  
39. \Sessions\1\BaseNamedObjects\DBWinMutex
40. 604
41. Regkey
42. Queryvalue
43.  
44. \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\ComputerName\ActiveComputerName\"ComputerName"
45. 604
46. File
47. Failed
48.  
49. C:\Users\ADMINI~1\AppData\Local\Temp\KYEFJIANLV
50. 604
51. File
52. Failed
53.  
54. C:\Users\ADMINI~1\AppData\Local\Temp\kyEFJiaNlv
55. 604
56. File
57. Failed
58.  
59. C:\Windows\SysWOW64\KYEFJIANLV
60. 604
61. File
62. Failed
63.  
64. C:\Windows\system\KYEFJIANLV
65. 604
66. File
67. Failed
68.  
69. C:\Windows\KYEFJIANLV
70. 604
71. File
72. Failed
73.  
74. C:\Windows\SysWOW64\KYEFJIANLV
75. 604
76. File
77. Failed
78.  
79. C:\Windows\KYEFJIANLV
80. 604
81. File
82. Failed
83.  
84. C:\Windows\SysWOW64\wbem\KYEFJIANLV
85. 604
86. File
87. Failed
88.  
89. C:\Windows\SysWOW64\WindowsPowerShell\v1.0\KYEFJIANLV
90. 604
91. File
92. Failed
93.  
94. C:\Program Files (x86)\Skype\Phone\KYEFJIANLV
95. 604
96. File
97. Failed
98.  
99. C:\Program Files (x86)\QuickTime\QTSystem\KYEFJIANLV
100. 604
101. File
102. Failed
103.  
104. C:\Program Files (x86)\Debugging Tools for Windows (x86)\KYEFJIANLV
105. 604
106. File
107. Failed
108.  
109. C:\Program Files\Debugging Tools for Windows (x64)\KYEFJIANLV
110. 604
111. API Call
112.  
113. API Name: GetDesktopWindow Address: 0x004010e0
114. Imagepath: C:\Users\Administrator\AppData\Local\Temp\factura.exe DLL Name: user32.dll
115. 604
116. File
117. Failed
118.  
119. C:\Users\ADMINI~1\AppData\Local\Temp\RXVWYJLHVY
120. 604
121. File
122. Failed
123.  
124. C:\Users\ADMINI~1\AppData\Local\Temp\rxVwYjlhVy
125. 604
126. File
127. Failed
128.  
129. C:\Windows\SysWOW64\RXVWYJLHVY
130. 604
131. File
132. Failed
133.  
134. C:\Windows\system\RXVWYJLHVY
135. 604
136. File
137. Failed
138.  
139. C:\Windows\RXVWYJLHVY
140. 604
141. File
142. Failed
143.  
144. C:\Windows\SysWOW64\RXVWYJLHVY
145. 604
146. File
147. Failed
148.  
149. C:\Windows\RXVWYJLHVY
150. 604
151. File
152. Failed
153.  
154. C:\Windows\SysWOW64\wbem\RXVWYJLHVY
155. 604
156. File
157. Failed
158.  
159. C:\Windows\SysWOW64\WindowsPowerShell\v1.0\RXVWYJLHVY
160. 604
161. File
162. Failed
163.  
164. C:\Program Files (x86)\Skype\Phone\RXVWYJLHVY
165. 604
166. File
167. Failed
168.  
169. C:\Program Files (x86)\QuickTime\QTSystem\RXVWYJLHVY
170. 604
171. File
172. Failed
173.  
174. C:\Program Files (x86)\Debugging Tools for Windows (x86)\RXVWYJLHVY
175. 604
176. File
177. Failed
178.  
179. C:\Program Files\Debugging Tools for Windows (x64)\RXVWYJLHVY
180. 604
181. API Call
182.  
183. API Name: GetSystemDirectoryW Address: 0x75eef96e
184. Params: [0x75f56420, 260]
185. Imagepath: C:\Users\Administrator\AppData\Local\Temp\factura.exe DLL Name: kernel32.dll
186. 604
187. File
188. Failed
189.  
190. C:\Users\ADMINI~1\AppData\Local\Temp\NETAPI32.DLL
191. 604
192. File
193. Failed
194.  
195. C:\Users\ADMINI~1\AppData\Local\Temp\NETUTILS.DLL
196. 604
197. File
198. Failed
199.  
200. C:\Users\ADMINI~1\AppData\Local\Temp\SRVCLI.DLL
201. 604
202. File
203. Failed
204.  
205. C:\Users\ADMINI~1\AppData\Local\Temp\WKSCLI.DLL
206. 604
207. File
208. Failed
209.  
210. C:\Users\ADMINI~1\AppData\Local\Temp\SCHEDCLI.DLL
211. 604
212. File
213. Failed
214.  
215. C:\Users\ADMINI~1\AppData\Local\Temp\PROFAPI.DLL
216. 604
217. API Call
218.  
219. API Name: GetComputerNameW Address: 0x00413a3c
220. Params: [0x18fb14, 0x18fb54]
221. Imagepath: C:\Users\Administrator\AppData\Local\Temp\factura.exe DLL Name: kernel32.dll
222. 604
223. API Call
224.  
225. API Name: GetSystemDirectoryW Address: 0x00413bac
226. Params: [0x18f94c, 260]
227. Imagepath: C:\Users\Administrator\AppData\Local\Temp\factura.exe DLL Name: kernel32.dll
228. 604
229. Regkey
230. Queryvalue
231.  
232. \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\ComputerName\ActiveComputerName\"ComputerName"
233. 604
234. Regkey
235. Added
236.  
237. \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\System32\Configuration\
238. 604
239. Regkey
240. Added
241.  
242. \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\System32
243. 604
244. Regkey
245. Added
246.  
247. \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\System32\Configuration
248. 604
249. Regkey
250. Setval
251.  
252. \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\System32\Configuration\"xi" = 7A2F0ADB1B90B147DABB
253. 604
254. File
255. Failed
256.  
257. C:\ProgramData\SYSTEM32\XVERSION
258. 604
259. File
260. Failed
261.  
262. C:\Users\Administrator\AppData\Roaming\SYSTEM32\XVERSION
263. 604
264. File
265. Failed
266.  
267. C:\ProgramData\WINDOWS
268. 604
269. Folder
270. Created
271.  
272. C:\ProgramData\Windows
273. 604
274. Folder
275. Hide
276.  
277. C:\ProgramData\Windows
278. 604
279. File
280. Failed
281.  
282. C:\ProgramData\Windows\CSRSS.EXE
283. 604
284. File
285. Created
286.  
287. C:\ProgramData\Windows\csrss.exe
288. 604
289. Malicious Alert
290. Malicious Directory
291.  
292. Message: Executable file created in suspicious location
293.  
294. Malicious Alert
295. Misc Anom
296.  
297. Message: Generic Trojan Behavior
298.  
299. API Call
300.  
301. API Name: SetProcessDEPPolicy Address: 0x00470bd9
302. Params: [1]
303. Imagepath: C:\Users\Administrator\AppData\Local\Temp\factura.exe DLL Name: kernel32.dll
304. 604
305. Folder
306. Created
307.  
308. C:\Users\Administrator\AppData\Local\Temp\6893A5D897
309. 604
310. File
311. Close
312.  
313. C:\ProgramData\Windows\csrss.exe
314. MD5: 9995a1c9ecf2a84bb9da752dfc43cbe8
315. SHA1: d54dcd18d30fc944347b994376282c9ec1b7467d
316. 604 1206863
317. API Call
318.  
319. API Name: Sleep Address: 0x0040de21
320. Params: [100]
321. Imagepath: C:\Users\Administrator\AppData\Local\Temp\factura.exe DLL Name: kernel32.dll
322. 604
323. Regkey
324. Setval
325.  
326. \REGISTRY\USER\S-1-5-21-2529703413-2662079939-3113469119-500\Software\Microsoft\Windows\CurrentVersi
327. on\Run\"Client Server Runtime Subsystem" = "C:\ProgramData\Windows\csrss.exe"
328. 604
329. Regkey
330. Setval
331.  
332. \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\System32\Configuration\"xVersion" = 4.0.0.1
333. 604
334. API Call
335.  
336. API Name: GetComputerNameExW Address: 0x776ace4b
337. Params: [0, 0x77740a6c, 0x777401c0]
338. Imagepath: C:\Users\Administrator\AppData\Local\Temp\factura.exe DLL Name: kernel32.dll
339. 604
340. API Call
341.  
342. API Name: Sleep Address: 0x0040de21
343. Params: [100]
344. Imagepath: C:\Users\Administrator\AppData\Local\Temp\factura.exe DLL Name: kernel32.dll
345. 604
346. API Call
347.  
348. API Name: Sleep Address: 0x0040de21
349. Params: [100]
350. Imagepath: C:\Users\Administrator\AppData\Local\Temp\factura.exe DLL Name: kernel32.dll
351. 604
352. 3 Repeated items skipped
353. API Call
354.  
355. API Name: CryptAcquireContextW Address: 0x004247f1
356. Params: [NULL, NULL, 1, 4026531840]
357. Imagepath: C:\Users\Administrator\AppData\Local\Temp\factura.exe DLL Name: advapi32.dll
358. 604
359. File
360. Failed
361.  
362. C:\Users\ADMINI~1\AppData\Local\Temp\CRYPTSP.DLL
363. 604
364. API Call
365.  
366. API Name: Sleep Address: 0x0040de21
367. Params: [100]
368. Imagepath: C:\Users\Administrator\AppData\Local\Temp\factura.exe DLL Name: kernel32.dll
369. 604
370. API Call
371.  
372. API Name: GetDesktopWindow Address: 0x0041e281
373. Imagepath: C:\Users\Administrator\AppData\Local\Temp\factura.exe DLL Name: user32.dll
374. 604
375. API Call
376.  
377. API Name: Sleep Address: 0x0040de21
378. Params: [100]
379. Imagepath: C:\Users\Administrator\AppData\Local\Temp\factura.exe DLL Name: kernel32.dll
380. 604
381. API Call
382.  
383. API Name: Sleep Address: 0x0040de21
384. Params: [100]
385. Imagepath: C:\Users\Administrator\AppData\Local\Temp\factura.exe DLL Name: kernel32.dll
386. 604
387. API Call
388.  
389. API Name: Process32First Address: 0x00424bf3
390. Params: [0x158, 0x265f7a0]
391. Imagepath: C:\Users\Administrator\AppData\Local\Temp\factura.exe DLL Name: kernel32.dll
392. 604
393. Malicious Alert
394. Generic Anomalous Activity
395.  
396. Message: Enumerating running processes
397.  
398. API Call
399.  
400. API Name: CryptAcquireContextA Address: 0x0050087e
401. Params: [NULL, NULL, 1, 4026531840]
402. Imagepath: C:\Users\Administrator\AppData\Local\Temp\factura.exe DLL Name: advapi32.dll
403. 604
404. API Call
405.  
406. API Name: GetDesktopWindow Address: 0x0041e281
407. Imagepath: C:\Users\Administrator\AppData\Local\Temp\factura.exe DLL Name: user32.dll
408. 604
409. API Call
410.  
411. API Name: Sleep Address: 0x0040de21
412. Params: [100]
413. Imagepath: C:\Users\Administrator\AppData\Local\Temp\factura.exe DLL Name: kernel32.dll
414. 604
415. API Call
416.  
417. API Name: Sleep Address: 0x0040de21
418. Params: [100]
419. Imagepath: C:\Users\Administrator\AppData\Local\Temp\factura.exe DLL Name: kernel32.dll
420. 604
421. API Call
422.  
423. API Name: Process32First Address: 0x00424bf3
424. Params: [0x14c, 0x265f718]
425. Imagepath: C:\Users\Administrator\AppData\Local\Temp\factura.exe DLL Name: kernel32.dll
426. 604
427. File
428. Failed
429.  
430. C:\Windows\SysWOW64\RPCSS.DLL
431. 604
432. 2 Repeated items skipped
433. API Call
434.  
435. API Name: GetVolumeNameForVolumeMountPointW Address: 0x76a80aaa
436. Params: [NULL, \\?\Volume{a4dcb962-c2b8-11e2-8b83-806e6f6e6963}\]
437. Imagepath: C:\Users\Administrator\AppData\Local\Temp\factura.exe DLL Name: kernel32.dll
438. 604
439. API Call
440.  
441. API Name: GetTokenInformation Address: 0x76a80172
442. Params: [0x18c, 0x19]
443. Imagepath: C:\Users\Administrator\AppData\Local\Temp\factura.exe DLL Name: advapi32.dll
444. 604
445. API Call
446.  
447. API Name: Sleep Address: 0x0040de21
448. Params: [100]
449. Imagepath: C:\Users\Administrator\AppData\Local\Temp\factura.exe DLL Name: kernel32.dll
450. 604
451. File
452. Failed
453.  
454. C:\Users\Administrator\AppData\Local\Microsoft\Windows\Caches
455. 604
456. File
457. Failed
458.  
459. C:\Users\ADMINI~1\AppData\Local\Temp\NTMARTA.DLL
460. 604
461. API Call
462.  
463. API Name: GetSystemDirectoryW Address: 0x75709cce
464. Params: [0x2d0f6cc, 260]
465. Imagepath: C:\Users\Administrator\AppData\Local\Temp\factura.exe DLL Name: kernel32.dll
466. 604
467. API Call
468.  
469. API Name: GetVolumeNameForVolumeMountPointW Address: 0x76a80e20
470. Params: [NULL, \\?\Volume{a4dcb965-c2b8-11e2-8b83-806e6f6e6963}\]
471. Imagepath: C:\Users\Administrator\AppData\Local\Temp\factura.exe DLL Name: kernel32.dll
472. 604
473. API Call
474.  
475. API Name: GetVolumeNameForVolumeMountPointW Address: 0x76a80e20
476. Params: [NULL, \\?\Volume{a4dcb962-c2b8-11e2-8b83-806e6f6e6963}\]
477. Imagepath: C:\Users\Administrator\AppData\Local\Temp\factura.exe DLL Name: kernel32.dll
478. 604
479. API Call
480.  
481. API Name: GetTokenInformation Address: 0x76a80172
482. Params: [0x1a8, 0x19]
483. Imagepath: C:\Users\Administrator\AppData\Local\Temp\factura.exe DLL Name: advapi32.dll
484. 604
485. API Call
486.  
487. API Name: GetTokenInformation Address: 0x76a80172
488. Params: [0x1a8, 0x19]
489. Imagepath: C:\Users\Administrator\AppData\Local\Temp\factura.exe DLL Name: advapi32.dll
490. 604
491. API Call
492.  
493. API Name: Sleep Address: 0x0040de21
494. Params: [100]
495. Imagepath: C:\Users\Administrator\AppData\Local\Temp\factura.exe DLL Name: kernel32.dll
496. 604
497. File
498. Failed
499.  
500. C:\Users\Administrator\AppData\Roaming\TOR
501. 604
502. 4 Repeated items skipped
503. API Call
504.  
505. API Name: Sleep Address: 0x0040de21
506. Params: [100]
507. Imagepath: C:\Users\Administrator\AppData\Local\Temp\factura.exe DLL Name: kernel32.dll
508. 604
509. Network
510. Listen
511.  
512. Protocol Type: tcp Listen Port: 49199 IP Address: 127.0.0.1:49199
513. Imagepath: c:\Users\Administrator\AppData\Local\Temp\factura.exe
514. 604
515. Malicious Alert
516. Network Activity
517.  
518. Message: TCP listen port opened
519.  
520. Network
521. Connect
522.  
523. Protocol Type: tcp Destination Port: 49199 IP Address: 127.0.0.1
524. Imagepath: c:\Users\Administrator\AppData\Local\Temp\factura.exe
525. 604
526. Malicious Alert
527. Network Activity
528.  
529. Message: Network outbound communication attempted
530.  
531. Network
532. Listen
533.  
534. Protocol Type: tcp Listen Port: 31721 IP Address: 127.0.0.1:31721
535. Imagepath: c:\Users\Administrator\AppData\Local\Temp\factura.exe
536. 604
537. File
538. Created
539.  
540. C:\Users\Administrator\AppData\Local\Temp\6893A5D897\lock
541. 604
542. File
543. Created
544.  
545. C:\Users\Administrator\AppData\Local\Temp\6893A5D897\state.tmp
546. 604
547. File
548. Close
549.  
550. C:\Users\Administrator\AppData\Local\Temp\6893A5D897\state.tmp
551. MD5: 34c7720364200078cf8cd1aefda03843
552. SHA1: 0cf818b11aa01a437fa5940fa265f60c6745d363
553. 604 199
554. File
555. Rename
556.  
557. Old Name: C:\Users\Administrator\AppData\Local\Temp\6893A5D897\state.tmp
558. New Name: C:\Users\Administrator\AppData\Local\Temp\6893A5D897\state
559. Imagepath: C:\Users\Administrator\AppData\Local\Temp\factura.exe
560. MD5: 34c7720364200078cf8cd1aefda03843
561. SHA1: 0cf818b11aa01a437fa5940fa265f60c6745d363
562. 604 199
563. File
564. Failed
565.  
566. C:\Users\ADMINI~1\AppData\Local\Temp\6893A5~1\ROUTER-STABILITY
567. 604
568. File
569. Failed
570.  
571. C:\Users\Administrator\AppData\Roaming\TOR\GEOIP
572. 604
573. File
574. Failed
575.  
576. C:\Users\Administrator\AppData\Roaming\TOR\GEOIP6
577. 604
578. API Call
579.  
580. API Name: Sleep Address: 0x0040de21
581. Params: [100]
582. Imagepath: C:\Users\Administrator\AppData\Local\Temp\factura.exe DLL Name: kernel32.dll
583. 604
584. File
585. Failed
586.  
587. C:\Users\ADMINI~1\AppData\Local\Temp\6893A5~1\CACHED-CERTS
588. 604
589. File
590. Failed
591.  
592. C:\Users\ADMINI~1\AppData\Local\Temp\6893A5~1\CACHED-CONSENSUS
593. 604
594. File
595. Failed
596.  
597. C:\Users\ADMINI~1\AppData\Local\Temp\6893A5~1\UNVERIFIED-CONSENSUS
598. 604
599. File
600. Failed
601.  
602. C:\Users\ADMINI~1\AppData\Local\Temp\6893A5~1\CACHED-MICRODESC-CONSENSUS
603. 604
604. API Call
605.  
606. API Name: Sleep Address: 0x0040de21
607. Params: [100]
608. Imagepath: C:\Users\Administrator\AppData\Local\Temp\factura.exe DLL Name: kernel32.dll
609. 604
610. File
611. Failed
612.  
613. C:\Users\ADMINI~1\AppData\Local\Temp\6893A5~1\UNVERIFIED-MICRODESC-CONSENSUS
614. 604
615. File
616. Failed
617.  
618. C:\Users\ADMINI~1\AppData\Local\Temp\6893A5~1\CACHED-MICRODESCS
619. 604
620. File
621. Failed
622.  
623. C:\Users\ADMINI~1\AppData\Local\Temp\6893A5~1\CACHED-MICRODESCS.NEW
624. 604
625. File
626. Failed
627.  
628. C:\Users\ADMINI~1\AppData\Local\Temp\6893A5~1\CACHED-DESCRIPTORS
629. 604
630. File
631. Failed
632.  
633. C:\Users\ADMINI~1\AppData\Local\Temp\6893A5~1\CACHED-EXTRAINFO
634. 604
635. API Call
636.  
637. API Name: Sleep Address: 0x0040de21
638. Params: [100]
639. Imagepath: C:\Users\Administrator\AppData\Local\Temp\factura.exe DLL Name: kernel32.dll
640. 604
641. API Call
642.  
643. API Name: Sleep Address: 0x0040de21
644. Params: [100]
645. Imagepath: C:\Users\Administrator\AppData\Local\Temp\factura.exe DLL Name: kernel32.dll
646. 604
647. 3 Repeated items skipped
648. API Call
649.  
650. API Name: Sleep Address: 0x0040de21
651. Imagepath: C:\Users\Administrator\AppData\Local\Temp\factura.exe DLL Name: kernel32.dll
652. 604
653. API Call
654.  
655. API Name: Sleep Address: 0x0040de21
656. Imagepath: C:\Users\Administrator\AppData\Local\Temp\factura.exe DLL Name: kernel32.dll
657. 604
658. 3 Repeated items skipped
659. API Call
660.  
661. API Name: GetSystemDirectoryA Address: 0x004f8683
662. Params: [0x265f8f4, 260]
663. Imagepath: C:\Users\Administrator\AppData\Local\Temp\factura.exe DLL Name: kernel32.dll
664. 604
665. File
666. Failed
667.  
668. C:\Users\ADMINI~1\AppData\Local\Temp\WINNSI.DLL
669. 604
670. File
671. Failed
672.  
673. C:\Users\ADMINI~1\AppData\Local\Temp\DHCPCSVC6.DLL
674. 604
675. File
676. Failed
677.  
678. C:\Users\ADMINI~1\AppData\Local\Temp\DHCPCSVC.DLL
679. 604
680. API Call
681.  
682. API Name: GetSystemDirectoryA Address: 0x004f8683
683. Params: [0x265f8f4, 260]
684. Imagepath: C:\Users\Administrator\AppData\Local\Temp\factura.exe DLL Name: kernel32.dll
685. 604
686. API Call
687.  
688. API Name: Sleep Address: 0x0040de21
689. Imagepath: C:\Users\Administrator\AppData\Local\Temp\factura.exe DLL Name: kernel32.dll
690. 604
691. API Call
692.  
693. API Name: Sleep Address: 0x0040de21
694. Imagepath: C:\Users\Administrator\AppData\Local\Temp\factura.exe DLL Name: kernel32.dll
695. 604
696. 4 Repeated items skipped
697. Uac
698. Service
699.  
700. Multimedia Class Scheduler
701.  
702. ProcessTelemetryReport
703.  
704. Imagepath: C:\Users\Administrator\AppData\Local\Temp\factura.exe
705. 604
706. API Call
707.  
708. API Name: Sleep Address: 0x0040de21
709. Imagepath: C:\Users\Administrator\AppData\Local\Temp\factura.exe DLL Name: kernel32.dll
710. 604
711. ProcessTelemetryReport
712.  
713. Imagepath: C:\Users\Administrator\AppData\Local\Temp\factura.exe
714. 604
715. API Call
716.  
717. API Name: Sleep Address: 0x0040de21
718. Imagepath: C:\Users\Administrator\AppData\Local\Temp\factura.exe DLL Name: kernel32.dll
719. 604
720. Uac
721. Service
722.  
723. Multimedia Class Scheduler
724.  
725. ProcessTelemetryReport
726.  
727. Imagepath: C:\Users\Administrator\AppData\Local\Temp\factura.exe
728. 604
729. API Call
730.  
731. API Name: Sleep Address: 0x0040de21
732. Imagepath: C:\Users\Administrator\AppData\Local\Temp\factura.exe DLL Name: kernel32.dll
733. 604
734. 3 Repeated items skipped
735. ProcessTelemetryReport
736.  
737. Imagepath: C:\Users\Administrator\AppData\Local\Temp\factura.exe
738. 604
739. API Call
740.  
741. API Name: Sleep Address: 0x0040de21
742. Imagepath: C:\Users\Administrator\AppData\Local\Temp\factura.exe DLL Name: kernel32.dll
743. 604
744. API Call
745.  
746. API Name: Sleep Address: 0x0040de21
747. Imagepath: C:\Users\Administrator\AppData\Local\Temp\factura.exe DLL Name: kernel32.dll
748. 604
749. 4 Repeated items skipped
750. Malicious Alert
751. High Repeated Sleep Calls
752.  
753. Message: High repeated sleep calls
754.  
755. API Call
756.  
757. API Name: Sleep Address: 0x0040de21
758. Imagepath: C:\Users\Administrator\AppData\Local\Temp\factura.exe DLL Name: kernel32.dll
759. 604
760. API Call
761.  
762. API Name: Sleep Address: 0x0040de21
763. Imagepath: C:\Users\Administrator\AppData\Local\Temp\factura.exe DLL Name: kernel32.dll
764. 604
765. 4 Repeated items skipped
766. Regkey
767. Setval
768.  
769. \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\System32\Configuration\"xmode" = 798
770. 604
771. Regkey
772. Setval
773.  
774. \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\System32\Configuration\"xpk" = -----BEGIN PUBLIC KEY-----.MII
775. BojANBgkqhkiG9w0BAQEFAAOCAY8AMIIBigKCAYEAvfD/CUBDvPpIFqwP8nlu.35tyUUJpY1lTKUfNN7v8OvxnMUe6ymFY9z/
776. ZuqtLM8SGx2ZcR5Tr+QRQ319nwTSc.fabkNUQQLTwluHoVVp2xVQ2s2ygrdL0xKJOO/RIhh0wLg9tjpakvIfCXkRCaze14.Vc
777. ZEWlfqxPn6a27qUoaUYqDxt5wJtF7hFjPTS8N6XnpiXzkxCOE9rRS1PkNH33LI.CHD4UfBYvouMUSG8tqHB9krzNoTyPLZefI
778. +tNZSjPOn87HldAk8WkOkVT8HudVq6.MopiDGq34d3R2tDr4uhFs5+oqeU4/LkCC2YQalLPfxRkFXti0cKi76O2PJKbCdtb.O
779. QwD6fQf0O7hGrMXtd0Th7nXGqkaXbeESCMmSY88XkUoE4CB+TGoFuBpKLtAH8FZ.naZjGd2RzOpt0Ujk0Huk2qaJzWVMh0
780. 604
781. Regkey
782. Setval
783.  
784. \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\System32\Configuration\"xstate" = 3
785. 604
786. Regkey
787. Setval
788.  
789. \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\System32\Configuration\"xcnt" = 0
790. 604
791. API Call
792.  
793. API Name: GetSystemDirectoryW Address: 0x00412f62
794. Params: [0x33ef2d8, 1024]
795. Imagepath: C:\Users\Administrator\AppData\Local\Temp\factura.exe DLL Name: kernel32.dll
796. 604
797. API Call
798.  
799. API Name: GetSystemDirectoryW Address: 0x00413079
800. Params: [0x18f1c8, 1024]
801. Imagepath: C:\Users\Administrator\AppData\Local\Temp\factura.exe DLL Name: kernel32.dll
802. 604
803. File
804. Created
805.  
806. C:\README1.txt
807. 604
808. File
809. Close
810.  
811. C:\README1.txt
812. MD5: c1c8aa778ab31b146974da08d9259ecd
813. SHA1: cf3a7a326d7907c566b4e7a61b0b7f2505983473
814. 604 2136
815. File
816. Created
817.  
818. C:\README2.txt
819. 604
820. File
821. Close
822.  
823. C:\README2.txt
824. MD5: c1c8aa778ab31b146974da08d9259ecd
825. SHA1: cf3a7a326d7907c566b4e7a61b0b7f2505983473
826. 604 2136
827. File
828. Created
829.  
830. C:\README3.txt
831. 604
832. File
833. Close
834.  
835. C:\README3.txt
836. MD5: c1c8aa778ab31b146974da08d9259ecd
837. SHA1: cf3a7a326d7907c566b4e7a61b0b7f2505983473
838. 604 2136
839. File
840. Created
841.  
842. C:\README4.txt
843. 604
844. File
845. Close
846.  
847. C:\README4.txt
848. MD5: c1c8aa778ab31b146974da08d9259ecd
849. SHA1: cf3a7a326d7907c566b4e7a61b0b7f2505983473
850. 604 2136
851. File
852. Created
853.  
854. C:\README5.txt
855. 604
856. File
857. Close
858.  
859. C:\README5.txt
860. MD5: c1c8aa778ab31b146974da08d9259ecd
861. SHA1: cf3a7a326d7907c566b4e7a61b0b7f2505983473
862. 604 2136
863. File
864. Created
865.  
866. C:\README6.txt
867. 604
868. File
869. Close
870.  
871. C:\README6.txt
872. MD5: c1c8aa778ab31b146974da08d9259ecd
873. SHA1: cf3a7a326d7907c566b4e7a61b0b7f2505983473
874. 604 2136
875. File
876. Created
877.  
878. C:\README7.txt
879. 604
880. File
881. Close
882.  
883. C:\README7.txt
884. MD5: c1c8aa778ab31b146974da08d9259ecd
885. SHA1: cf3a7a326d7907c566b4e7a61b0b7f2505983473
886. 604 2136
887. File
888. Created
889.  
890. C:\README8.txt
891. 604
892. File
893. Close
894.  
895. C:\README8.txt
896. MD5: c1c8aa778ab31b146974da08d9259ecd
897. SHA1: cf3a7a326d7907c566b4e7a61b0b7f2505983473
898. 604 2136
899. File
900. Created
901.  
902. C:\README9.txt
903. 604
904. API Call
905.  
906. API Name: GetSystemDirectoryW Address: 0x00413079
907. Params: [0x18ef08, 1024]
908. Imagepath: C:\Users\Administrator\AppData\Local\Temp\factura.exe DLL Name: kernel32.dll
909. 604
910. File
911. Close
912.  
913. C:\README9.txt
914. MD5: c1c8aa778ab31b146974da08d9259ecd
915. SHA1: cf3a7a326d7907c566b4e7a61b0b7f2505983473
916. 604 2136
917. File
918. Created
919.  
920. C:\README10.txt
921. 604
922. File
923. Close
924.  
925. C:\README10.txt
926. MD5: c1c8aa778ab31b146974da08d9259ecd
927. SHA1: cf3a7a326d7907c566b4e7a61b0b7f2505983473
928. 604 2136
929. Regkey
930. Setval
931.  
932. \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\System32\Configuration\"xstate" = 4
933. 604
934. API Call
935.  
936. API Name: GetSystemDirectoryW Address: 0x00413079
937. Params: [0x352f540, 1024]
938. Imagepath: C:\Users\Administrator\AppData\Local\Temp\factura.exe DLL Name: kernel32.dll
939. 604
940. File
941. Find
942.  
943. C:\*
944. 604
945. File
946. Find
947.  
948. C:\Users\*
949. 604
950. File
951. Open
952.  
953. C:\Users\Public\Videos\Sample Videos\Wildlife.wmv
954. 604 26246026
955. Process
956. Started
957.  
958. C:\Windows\System32\vssadmin.exe
959. Parentname: C:\Users\Administrator\AppData\Local\Temp\factura.exe
960. Command Line: C:\Windows\system32\vssadmin.exe List Shadows
961. MD5: e23dd973e1444684eb36365deff1fc74
962. SHA1: 09fafeb1b8404124b33c44440be7e3fdb6105f8a
963. 1048 604 167424
964. Regkey
965. Setval
966.  
967. \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\System32\Configuration\"xcnt" = 0
968. 604
969. 91 Repeated items skipped
970. API Call
971.  
972. API Name: Sleep Address: 0x0040e6c8
973. Imagepath: C:\Users\Administrator\AppData\Local\Temp\factura.exe DLL Name: kernel32.dll
974. 604
975. Mutex
976.  
977. \Sessions\1\BaseNamedObjects\DBWinMutex
978. 1048
979. Regkey
980. Queryvalue
981.  
982. \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\ComputerName\ActiveComputerName\"ComputerName"
983. 1048
984. API Call
985.  
986. API Name: Sleep Address: 0x0040e6c8
987. Imagepath: C:\Users\Administrator\AppData\Local\Temp\factura.exe DLL Name: kernel32.dll
988. 604
989. API Call
990.  
991. API Name: Sleep Address: 0x0040e6c8
992. Imagepath: C:\Users\Administrator\AppData\Local\Temp\factura.exe DLL Name: kernel32.dll
993. 604
994. API Call
995.  
996. API Name: Sleep Address: 0x0040e6c8
997. Imagepath: C:\Users\Administrator\AppData\Local\Temp\factura.exe DLL Name: kernel32.dll
998. 604
999. Regkey
1000. Setval
1001.  
1002. \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\System32\Configuration\"xcnt" = 0
1003. 604
1004. 4 Repeated items skipped
1005. Uac
1006. Service
1007.  
1008. Volume Shadow Copy
1009.  
1010. Uac
1011. Service
1012.  
1013. Microsoft Software Shadow Copy Provider
1014.  
1015. Process
1016. Terminated
1017.  
1018. C:\Windows\System32\vssadmin.exe
1019. Parentname: C:\Users\Administrator\AppData\Local\Temp\factura.exe
1020. Command Line: N/A
1021. 1048 604
1022. API Call
1023.  
1024. API Name: GetSystemDirectoryW Address: 0x00412f62
1025. Params: [0x33ef2d8, 1024]
1026. Imagepath: C:\Users\Administrator\AppData\Local\Temp\factura.exe DLL Name: kernel32.dll
1027. 604
1028. Process
1029. Started
1030.  
1031. C:\Windows\System32\vssadmin.exe
1032. Parentname: C:\Users\Administrator\AppData\Local\Temp\factura.exe
1033. Command Line: C:\Windows\system32\vssadmin.exe Delete Shadows /All /Quiet
1034. MD5: e23dd973e1444684eb36365deff1fc74
1035. SHA1: 09fafeb1b8404124b33c44440be7e3fdb6105f8a
1036. 1808 604 167424
1037. Malicious Alert
1038. Disk Tampering Activity
1039.  
1040. Message: Disk Tampering
1041.  
1042. Malicious Alert
1043. Misc Anom
1044.  
1045. Message: Disk Tampering Detected
1046.  
1047. Mutex
1048.  
1049. \Sessions\1\BaseNamedObjects\DBWinMutex
1050. 1808
1051. Regkey
1052. Queryvalue
1053.  
1054. \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\ComputerName\ActiveComputerName\"ComputerName"
1055. 1808
1056. Regkey
1057. Setval
1058.  
1059. \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\System32\Configuration\"xcnt" = 0
1060. 604
1061. ProcessTelemetryReport
1062.  
1063. Imagepath: C:\Users\Administrator\AppData\Local\Temp\factura.exe
1064. 604
1065. API Call
1066.  
1067. API Name: Sleep Address: 0x0040e6c8
1068. Imagepath: C:\Users\Administrator\AppData\Local\Temp\factura.exe DLL Name: kernel32.dll
1069. 604
1070. Regkey
1071. Setval
1072.  
1073. \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\System32\Configuration\"xcnt" = 0
1074. 604
1075. 13 Repeated items skipped
1076. ProcessTelemetryReport
1077.  
1078. Imagepath: C:\Users\Administrator\AppData\Local\Temp\factura.exe
1079. 604
1080. File
1081. Close
1082.  
1083. C:\Users\Public\Videos\Sample Videos\Wildlife.wmv
1084. MD5: d783aa11bdc83430f9d30ef39c37eb3e
1085. SHA1: b9aca26b0ffb2eb52362c8f82f198d894905a6ef
1086. 604 26246410
1087. File
1088. Open
1089.  
1090. C:\Users\Public\Videos\Sample Videos\Wildlife.wmv
1091. MD5: d783aa11bdc83430f9d30ef39c37eb3e
1092. SHA1: b9aca26b0ffb2eb52362c8f82f198d894905a6ef
1093. 604 26246410
1094. High Cpu
1095.  
1096. Imagepath: C:\Users\Administrator\AppData\Local\Temp\factura.exe
1097. 604
1098. File
1099. Close
1100.  
1101. C:\Users\Public\Videos\Sample Videos\Wildlife.wmv
1102. MD5: 0b366962504e9d26ede7554a1e543f1c
1103. SHA1: 142c7498960f43bf5abea19bd4511ba2008df44e
1104. 604 26246416
1105. File
1106. Rename
1107.  
1108. Old Name: C:\Users\Public\Videos\Sample Videos\Wildlife.wmv
1109. New Name: C:\Users\Public\Videos\Sample Videos\wDz6On8qmqltEd3LYIQIv4Rp+qEXQxh1KJpZlElW-5c=.7A2F0ADB1B90B147DA
1110. BB.no_more_ransom
1111. Imagepath: C:\Users\Administrator\AppData\Local\Temp\factura.exe
1112. MD5: 0b366962504e9d26ede7554a1e543f1c
1113. SHA1: 142c7498960f43bf5abea19bd4511ba2008df44e
1114. 604 26246416
1115. File
1116. Failed
1117.  
1118. C:\ProgramData\SYSTEM32
1119. 604
1120. Folder
1121. Created
1122.  
1123. C:\ProgramData\System32
1124. 604
1125. Folder
1126. Hide
1127.  
1128. C:\ProgramData\System32
1129. 604
1130. File
1131. Failed
1132.  
1133. C:\ProgramData\System32\XFS
1134. 604
1135. File
1136. Created
1137.  
1138. C:\ProgramData\System32\xfs
1139. 604
1140. File
1141. Close
1142.  
1143. C:\ProgramData\System32\xfs
1144. MD5: b40e775927a2f1c38d960921b60d7a8d
1145. SHA1: 46091bdfdb005fcaabf9489768fa9954907fe124
1146. 604 134
1147. File
1148. Hide
1149.  
1150. C:\ProgramData\System32\xfs
1151. MD5: b40e775927a2f1c38d960921b60d7a8d
1152. SHA1: 46091bdfdb005fcaabf9489768fa9954907fe124
1153. 604 134
1154. File
1155. Open
1156.  
1157. C:\Users\Public\Pictures\Sample Pictures\Tulips.jpg
1158. 604 620888
1159. File
1160. Close
1161.  
1162. C:\Users\Public\Pictures\Sample Pictures\Tulips.jpg
1163. MD5: 886b76b7e667b07eb384aef6b287dd8f
1164. SHA1: fa4710759b26074bc1071cb460845e03e4fbf961
1165. 604 621272
1166. File
1167. Open
1168.  
1169. C:\Users\Public\Pictures\Sample Pictures\Tulips.jpg
1170. MD5: 886b76b7e667b07eb384aef6b287dd8f
1171. SHA1: fa4710759b26074bc1071cb460845e03e4fbf961
1172. 604 621272
1173. File
1174. Close
1175.  
1176. C:\Users\Public\Pictures\Sample Pictures\Tulips.jpg
1177. MD5: eb5c740ca5e6b82f98731606438d2949
1178. SHA1: 1b0c15cbe0738dccfde2694b0609ce3f0367a551
1179. 604 621280
1180. File
1181. Rename
1182.  
1183. Old Name: C:\Users\Public\Pictures\Sample Pictures\Tulips.jpg
1184. New Name: C:\Users\Public\Pictures\Sample Pictures\PF+Cxm3VmNNzOXBRmkDH+Hg9aO+zrZWwFtNUkj2M0go=.7A2F0ADB1B90B1
1185. 47DABB.no_more_ransom
1186. Imagepath: C:\Users\Administrator\AppData\Local\Temp\factura.exe
1187. MD5: eb5c740ca5e6b82f98731606438d2949
1188. SHA1: 1b0c15cbe0738dccfde2694b0609ce3f0367a551
1189. 604 621280
1190. File
1191. Open
1192.  
1193. C:\ProgramData\System32\xfs
1194. MD5: b40e775927a2f1c38d960921b60d7a8d
1195. SHA1: 46091bdfdb005fcaabf9489768fa9954907fe124
1196. 604 134
1197. File
1198. Close
1199.  
1200. C:\ProgramData\System32\xfs
1201. MD5: 28da47be3cb23f6c66160ea208cfd372
1202. SHA1: a8525efdf940b2d2202cd8f78b044c72053c2645
1203. 604 274
1204. File
1205. Hide
1206.  
1207. C:\ProgramData\System32\xfs
1208. MD5: 28da47be3cb23f6c66160ea208cfd372
1209. SHA1: a8525efdf940b2d2202cd8f78b044c72053c2645
1210. 604 274
1211. File
1212. Open
1213.  
1214. C:\Users\Public\Pictures\Sample Pictures\Penguins.jpg
1215. 604 777835
1216. File
1217. Close
1218.  
1219. C:\Users\Public\Pictures\Sample Pictures\Penguins.jpg
1220. MD5: 433508676ab1e8516196371912f0c31d
1221. SHA1: f99cd9c7206459d0ad5e8c2d31266c004ddce650
1222. 604 778219
1223. File
1224. Open
1225.  
1226. C:\Users\Public\Pictures\Sample Pictures\Penguins.jpg
1227. MD5: 433508676ab1e8516196371912f0c31d
1228. SHA1: f99cd9c7206459d0ad5e8c2d31266c004ddce650
1229. 604 778219
1230. File
1231. Close
1232.  
1233. C:\Users\Public\Pictures\Sample Pictures\Penguins.jpg
1234. MD5: a12ed00d8d6a54423cef5e58a703ed44
1235. SHA1: 316d8eb4b55845f8df72d76251e2b979a1930048
1236. 604 778224
1237. File
1238. Rename
1239.  
1240. Old Name: C:\Users\Public\Pictures\Sample Pictures\Penguins.jpg
1241. New Name: C:\Users\Public\Pictures\Sample Pictures\L6bCSak2OI8V7u+sAHjsPsx58Q++QKWQvcU4Zscstn4=.7A2F0ADB1B90B1
1242. 47DABB.no_more_ransom
1243. Imagepath: C:\Users\Administrator\AppData\Local\Temp\factura.exe
1244. MD5: a12ed00d8d6a54423cef5e58a703ed44
1245. SHA1: 316d8eb4b55845f8df72d76251e2b979a1930048
1246. 604 778224
1247. File
1248. Open
1249.  
1250. C:\Users\Public\Pictures\Sample Pictures\Lighthouse.jpg
1251. 604 561276
1252. File
1253. Open
1254.  
1255. C:\ProgramData\System32\xfs
1256. MD5: 28da47be3cb23f6c66160ea208cfd372
1257. SHA1: a8525efdf940b2d2202cd8f78b044c72053c2645
1258. 604 274
1259. File
1260. Close
1261.  
1262. C:\ProgramData\System32\xfs
1263. MD5: cb3ba0321674d2aed9570bc5ef2b9632
1264. SHA1: 878f39613d12a8ba5f0e2c67e0b5558b225768ab
1265. 604 418
1266. File
1267. Hide
1268.  
1269. C:\ProgramData\System32\xfs
1270. MD5: cb3ba0321674d2aed9570bc5ef2b9632
1271. SHA1: 878f39613d12a8ba5f0e2c67e0b5558b225768ab
1272. 604 418
1273. File
1274. Close
1275.  
1276. C:\Users\Public\Pictures\Sample Pictures\Lighthouse.jpg
1277. MD5: c8f6785d95696592ae266486a46297eb
1278. SHA1: a61306f72a7368c47f3574dad6a098add3ec6712
1279. 604 561660
1280. File
1281. Open
1282.  
1283. C:\Users\Public\Pictures\Sample Pictures\Lighthouse.jpg
1284. MD5: c8f6785d95696592ae266486a46297eb
1285. SHA1: a61306f72a7368c47f3574dad6a098add3ec6712
1286. 604 561660
1287. File
1288. Close
1289.  
1290. C:\Users\Public\Pictures\Sample Pictures\Lighthouse.jpg
1291. MD5: 28df3d0418dece2e132c76b96d01c36a
1292. SHA1: 4cb0d2d02a5ffaab5f6728ba84c8587ab73a5c6c
1293. 604 561664
1294. File
1295. Rename
1296.  
1297. Old Name: C:\Users\Public\Pictures\Sample Pictures\Lighthouse.jpg
1298. New Name: C:\Users\Public\Pictures\Sample Pictures\P1XoWVaGq1E9j6v6sSwA4i13OmeNmtZAaHIkklpMjDE=.7A2F0ADB1B90B1
1299. 47DABB.no_more_ransom
1300. Imagepath: C:\Users\Administrator\AppData\Local\Temp\factura.exe
1301. MD5: 28df3d0418dece2e132c76b96d01c36a
1302. SHA1: 4cb0d2d02a5ffaab5f6728ba84c8587ab73a5c6c
1303. 604 561664
1304. File
1305. Open
1306.  
1307. C:\ProgramData\System32\xfs
1308. MD5: cb3ba0321674d2aed9570bc5ef2b9632
1309. SHA1: 878f39613d12a8ba5f0e2c67e0b5558b225768ab
1310. 604 418
1311. File
1312. Close
1313.  
1314. C:\ProgramData\System32\xfs
1315. MD5: 317508a377eb4904e7952e644d5083dc
1316. SHA1: d3d817cbb73e349f18b26f6bfcd7c4c6a24f8aa3
1317. 604 566
1318. File
1319. Hide
1320.  
1321. C:\ProgramData\System32\xfs
1322. MD5: 317508a377eb4904e7952e644d5083dc
1323. SHA1: d3d817cbb73e349f18b26f6bfcd7c4c6a24f8aa3
1324. 604 566
1325. File
1326. Open
1327.  
1328. C:\Users\Public\Pictures\Sample Pictures\Koala.jpg
1329. 604 780831
1330. File
1331. Close
1332.  
1333. C:\Users\Public\Pictures\Sample Pictures\Koala.jpg
1334. MD5: d07c705f4953407438ca30909060c103
1335. SHA1: af30f25c6dafd4fe1fb5eec131390a2ae82025a2
1336. 604 781215
1337. File
1338. Open
1339.  
1340. C:\Users\Public\Pictures\Sample Pictures\Koala.jpg
1341. MD5: d07c705f4953407438ca30909060c103
1342. SHA1: af30f25c6dafd4fe1fb5eec131390a2ae82025a2
1343. 604 781215
1344. File
1345. Close
1346.  
1347. C:\Users\Public\Pictures\Sample Pictures\Koala.jpg
1348. MD5: c9338c52434123f2f54a3c3457408a83
1349. SHA1: 41f485b26b432898c4f60483fae47a91d6e03522
1350. 604 781216
1351. File
1352. Rename
1353.  
1354. Old Name: C:\Users\Public\Pictures\Sample Pictures\Koala.jpg
1355. New Name: C:\Users\Public\Pictures\Sample Pictures\MvqtZijbhCa1ApycV7KdoZ7JrtsU71jZY7OClDl7riA=.7A2F0ADB1B90B1
1356. 47DABB.no_more_ransom
1357. Imagepath: C:\Users\Administrator\AppData\Local\Temp\factura.exe
1358. MD5: c9338c52434123f2f54a3c3457408a83
1359. SHA1: 41f485b26b432898c4f60483fae47a91d6e03522
1360. 604 781216
1361. File
1362. Open
1363.  
1364. C:\Users\Public\Pictures\Sample Pictures\Jellyfish.jpg
1365. 604 775702
1366. File
1367. Open
1368.  
1369. C:\ProgramData\System32\xfs
1370. MD5: 317508a377eb4904e7952e644d5083dc
1371. SHA1: d3d817cbb73e349f18b26f6bfcd7c4c6a24f8aa3
1372. 604 566
1373. File
1374. Close
1375.  
1376. C:\ProgramData\System32\xfs
1377. MD5: 1fb7bd9abd449ec8bb2b47efba621de6
1378. SHA1: c2eeaece9396846ea37db7c08f8f0cdff49e11b0
1379. 604 704
1380. File
1381. Hide
1382.  
1383. C:\ProgramData\System32\xfs
1384. MD5: 1fb7bd9abd449ec8bb2b47efba621de6
1385. SHA1: c2eeaece9396846ea37db7c08f8f0cdff49e11b0
1386. 604 704
1387. File
1388. Close
1389.  
1390. C:\Users\Public\Pictures\Sample Pictures\Jellyfish.jpg
1391. MD5: f4f3a2cb8e7fd3149570f217df1b57f3
1392. SHA1: f73cb686a9d10bfb04cdcdf22f5bbd61affee844
1393. 604 776086
1394. File
1395. Open
1396.  
1397. C:\Users\Public\Pictures\Sample Pictures\Jellyfish.jpg
1398. MD5: f4f3a2cb8e7fd3149570f217df1b57f3
1399. SHA1: f73cb686a9d10bfb04cdcdf22f5bbd61affee844
1400. 604 776086
1401. File
1402. Close
1403.  
1404. C:\Users\Public\Pictures\Sample Pictures\Jellyfish.jpg
1405. MD5: 9227c7f3ad19d90117759eb63a39892b
1406. SHA1: 41b542ff591636ae3049e01a4cf5bb20235e2048
1407. 604 776096
1408. File
1409. Rename
1410.  
1411. Old Name: C:\Users\Public\Pictures\Sample Pictures\Jellyfish.jpg
1412. New Name: C:\Users\Public\Pictures\Sample Pictures\nWfUYd5BKpzXCqQM483O0dY21f-4V-f5xQolZKlJLUo=.7A2F0ADB1B90B1
1413. 47DABB.no_more_ransom
1414. Imagepath: C:\Users\Administrator\AppData\Local\Temp\factura.exe
1415. MD5: 9227c7f3ad19d90117759eb63a39892b
1416. SHA1: 41b542ff591636ae3049e01a4cf5bb20235e2048
1417. 604 776096
1418. File
1419. Open
1420.  
1421. C:\ProgramData\System32\xfs
1422. MD5: 1fb7bd9abd449ec8bb2b47efba621de6
1423. SHA1: c2eeaece9396846ea37db7c08f8f0cdff49e11b0
1424. 604 704
1425. File
1426. Close
1427.  
1428. C:\ProgramData\System32\xfs
1429. MD5: bc7d33ef94aa0ab5fcb4ea1e713d2819
1430. SHA1: 814596c41c2830454d800eb93c8fc0ec3c86600f
1431. 604 850
1432. File
1433. Hide
1434.  
1435. C:\ProgramData\System32\xfs
1436. MD5: bc7d33ef94aa0ab5fcb4ea1e713d2819
1437. SHA1: 814596c41c2830454d800eb93c8fc0ec3c86600f
1438. 604 850
1439. File
1440. Open
1441.  
1442. C:\Users\Public\Pictures\Sample Pictures\Hydrangeas.jpg
1443. 604 595284
1444. File
1445. Close
1446.  
1447. C:\Users\Public\Pictures\Sample Pictures\Hydrangeas.jpg
1448. MD5: 438259ecbb7bd3d922aaed01b156d36e
1449. SHA1: 77eeab4898cedcd399bd7d696a91fb70f8ad5524
1450. 604 595668
1451. File
1452. Open
1453.  
1454. C:\Users\Public\Pictures\Sample Pictures\Hydrangeas.jpg
1455. MD5: 438259ecbb7bd3d922aaed01b156d36e
1456. SHA1: 77eeab4898cedcd399bd7d696a91fb70f8ad5524
1457. 604 595668
1458. File
1459. Close
1460.  
1461. C:\Users\Public\Pictures\Sample Pictures\Hydrangeas.jpg
1462. MD5: ccf3b949f31cd3f0e96f9112f09b97df
1463. SHA1: 99e901d9d10e80dddcac20a9c3e81d55f6ec873a
1464. 604 595680
1465. File
1466. Rename
1467.  
1468. Old Name: C:\Users\Public\Pictures\Sample Pictures\Hydrangeas.jpg
1469. New Name: C:\Users\Public\Pictures\Sample Pictures\PsKe54J-2GeOdO1RDI+dDZsdmBIqXthkOttHJtvKjx4=.7A2F0ADB1B90B1
1470. 47DABB.no_more_ransom
1471. Imagepath: C:\Users\Administrator\AppData\Local\Temp\factura.exe
1472. MD5: ccf3b949f31cd3f0e96f9112f09b97df
1473. SHA1: 99e901d9d10e80dddcac20a9c3e81d55f6ec873a
1474. 604 595680
1475. File
1476. Open
1477.  
1478. C:\Users\Public\Pictures\Sample Pictures\Desert.jpg
1479. 604 845941
1480. File
1481. Open
1482.  
1483. C:\ProgramData\System32\xfs
1484. MD5: bc7d33ef94aa0ab5fcb4ea1e713d2819
1485. SHA1: 814596c41c2830454d800eb93c8fc0ec3c86600f
1486. 604 850
1487. File
1488. Close
1489.  
1490. C:\ProgramData\System32\xfs
1491. MD5: 1b872bad3231d1f5b7895c79d95bcf9a
1492. SHA1: 0b8ea004023d5d1bb02c7b9d842671e674c2b1f5
1493. 604 998
1494. File
1495. Hide
1496.  
1497. C:\ProgramData\System32\xfs
1498. MD5: 1b872bad3231d1f5b7895c79d95bcf9a
1499. SHA1: 0b8ea004023d5d1bb02c7b9d842671e674c2b1f5
1500. 604 998
1501. File
1502. Close
1503.  
1504. C:\Users\Public\Pictures\Sample Pictures\Desert.jpg
1505. MD5: e3934c1d8793e85f1803223fed15729a
1506. SHA1: 6fbb08dfc191a4a4bfac272568c1c665cf0207bc
1507. 604 846325
1508. File
1509. Open
1510.  
1511. C:\Users\Public\Pictures\Sample Pictures\Desert.jpg
1512. MD5: e3934c1d8793e85f1803223fed15729a
1513. SHA1: 6fbb08dfc191a4a4bfac272568c1c665cf0207bc
1514. 604 846325
1515. File
1516. Close
1517.  
1518. C:\Users\Public\Pictures\Sample Pictures\Desert.jpg
1519. MD5: 991dac7cd99303c3beec2c511d5e69bb
1520. SHA1: 007517900e8ba6b8050cf1573a997e1f3ecf3fa4
1521. 604 846336
1522. File
1523. Rename
1524.  
1525. Old Name: C:\Users\Public\Pictures\Sample Pictures\Desert.jpg
1526. New Name: C:\Users\Public\Pictures\Sample Pictures\dmYzOCvVXR1Qu6XiXec9SHLa1VXU0QmJOBSicQx9qp0=.7A2F0ADB1B90B1
1527. 47DABB.no_more_ransom
1528. Imagepath: C:\Users\Administrator\AppData\Local\Temp\factura.exe
1529. MD5: 991dac7cd99303c3beec2c511d5e69bb
1530. SHA1: 007517900e8ba6b8050cf1573a997e1f3ecf3fa4
1531. 604 846336
1532. File
1533. Open
1534.  
1535. C:\ProgramData\System32\xfs
1536. MD5: 1b872bad3231d1f5b7895c79d95bcf9a
1537. SHA1: 0b8ea004023d5d1bb02c7b9d842671e674c2b1f5
1538. 604 998
1539. File
1540. Close
1541.  
1542. C:\ProgramData\System32\xfs
1543. MD5: 994dcbd48b9991af156b930045cb72e9
1544. SHA1: 2e4884b50791276e2e904b2c6504aec25e90bf2f
1545. 604 1138
1546. File
1547. Hide
1548.  
1549. C:\ProgramData\System32\xfs
1550. MD5: 994dcbd48b9991af156b930045cb72e9
1551. SHA1: 2e4884b50791276e2e904b2c6504aec25e90bf2f
1552. 604 1138
1553. File
1554. Open
1555.  
1556. C:\Users\Public\Pictures\Sample Pictures\Chrysanthemum.jpg
1557. 604 879394
1558. File
1559. Close
1560.  
1561. C:\Users\Public\Pictures\Sample Pictures\Chrysanthemum.jpg
1562. MD5: 129068ff72cbf9de8cd5b8e03fd8e94f
1563. SHA1: 639df059dfbed864eb2891ca045b65f88c035f5b
1564. 604 879778
1565. File
1566. Open
1567.  
1568. C:\Users\Public\Pictures\Sample Pictures\Chrysanthemum.jpg
1569. MD5: 129068ff72cbf9de8cd5b8e03fd8e94f
1570. SHA1: 639df059dfbed864eb2891ca045b65f88c035f5b
1571. 604 879778
1572. File
1573. Close
1574.  
1575. C:\Users\Public\Pictures\Sample Pictures\Chrysanthemum.jpg
1576. MD5: e8573bee38743e11eb978a11be66dcb0
1577. SHA1: b9190d7363f16ed119e1a8f005ed4b919ecfb6a5
1578. 604 879792
1579. File
1580. Rename
1581.  
1582. Old Name: C:\Users\Public\Pictures\Sample Pictures\Chrysanthemum.jpg
1583. New Name: C:\Users\Public\Pictures\Sample Pictures\SSV3w8pmgstpqHUT18WJ02KZK8X8BkgUeli8i++4Ftn09ijdKKeYRg6qljm
1584. dQd5d.7A2F0ADB1B90B147DABB.no_more_ransom
1585. Imagepath: C:\Users\Administrator\AppData\Local\Temp\factura.exe
1586. MD5: e8573bee38743e11eb978a11be66dcb0
1587. SHA1: b9190d7363f16ed119e1a8f005ed4b919ecfb6a5
1588. 604 879792
1589. File
1590. Open
1591.  
1592. C:\ProgramData\System32\xfs
1593. MD5: 994dcbd48b9991af156b930045cb72e9
1594. SHA1: 2e4884b50791276e2e904b2c6504aec25e90bf2f
1595. 604 1138
1596. File
1597. Close
1598.  
1599. C:\ProgramData\System32\xfs
1600. MD5: 268ca2df059c5a9ce5c26ef6f85d924f
1601. SHA1: 9501783d1aa3c4fa8eb4976d8f1a5d58b505036b
1602. 604 1292
1603. File
1604. Hide
1605.  
1606. C:\ProgramData\System32\xfs
1607. MD5: 268ca2df059c5a9ce5c26ef6f85d924f
1608. SHA1: 9501783d1aa3c4fa8eb4976d8f1a5d58b505036b
1609. 604 1292
1610. File
1611. Open
1612.  
1613. C:\Users\Public\Music\Sample Music\Sleep Away.mp3
1614. 604 4842585
1615. File
1616. Close
1617.  
1618. C:\Users\Public\Music\Sample Music\Sleep Away.mp3
1619. MD5: c67bbe427a8711f75d2d7d2719417d61
1620. SHA1: d3a1aa8d8077e6774916c461d07c1721f9773aad
1621. 604 4842969
1622. File
1623. Open
1624.  
1625. C:\Users\Public\Music\Sample Music\Sleep Away.mp3
1626. MD5: c67bbe427a8711f75d2d7d2719417d61
1627. SHA1: d3a1aa8d8077e6774916c461d07c1721f9773aad
1628. 604 4842969
1629. File
1630. Close
1631.  
1632. C:\Users\Public\Music\Sample Music\Sleep Away.mp3
1633. MD5: f8986b2b08c2fbce2ee85a846a7f001c
1634. SHA1: cc9f89632d710db0ff9d2ee811807a8015c2f642
1635. 604 4842976
1636. File
1637. Rename
1638.  
1639. Old Name: C:\Users\Public\Music\Sample Music\Sleep Away.mp3
1640. New Name: C:\Users\Public\Music\Sample Music\Hnz3Uc0S-lbrqf7X69HranOJBU35BAtGbdmuXtz7YX8=.7A2F0ADB1B90B147DABB
1641. .no_more_ransom
1642. Imagepath: C:\Users\Administrator\AppData\Local\Temp\factura.exe
1643. MD5: f8986b2b08c2fbce2ee85a846a7f001c
1644. SHA1: cc9f89632d710db0ff9d2ee811807a8015c2f642
1645. 604 4842976
1646. File
1647. Open
1648.  
1649. C:\Users\Public\Music\Sample Music\Maid with the Flaxen Hair.mp3
1650. 604 4113874
1651. File
1652. Open
1653.  
1654. C:\ProgramData\System32\xfs
1655. MD5: 268ca2df059c5a9ce5c26ef6f85d924f
1656. SHA1: 9501783d1aa3c4fa8eb4976d8f1a5d58b505036b
1657. 604 1292
1658. File
1659. Close
1660.  
1661. C:\ProgramData\System32\xfs
1662. MD5: f10c079071c47cfd58918e3e72920aa5
1663. SHA1: a16470bf1d09f96060a918a6b4f0f46a1863888b
1664. 604 1428
1665. File
1666. Hide
1667.  
1668. C:\ProgramData\System32\xfs
1669. MD5: f10c079071c47cfd58918e3e72920aa5
1670. SHA1: a16470bf1d09f96060a918a6b4f0f46a1863888b
1671. 604 1428
1672. API Call
1673.  
1674. API Name: Sleep Address: 0x0040e6c8
1675. Imagepath: C:\Users\Administrator\AppData\Local\Temp\factura.exe DLL Name: kernel32.dll
1676. 604
1677. ProcessTelemetryReport
1678.  
1679. Imagepath: C:\Users\Administrator\AppData\Local\Temp\factura.exe
1680. 604
1681. Regkey
1682. Setval
1683.  
1684. \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\System32\Configuration\"xcnt" = 10
1685. 604
1686. File
1687. Close
1688.  
1689. C:\Users\Public\Music\Sample Music\Maid with the Flaxen Hair.mp3
1690. MD5: 52ec85f46d9f1164792a3489ecf81009
1691. SHA1: f7ff3b7fbfb36e2eda9f04e86ef60f2d2bb6cbef
1692. 604 4114258
1693. File
1694. Open
1695.  
1696. C:\Users\Public\Music\Sample Music\Maid with the Flaxen Hair.mp3
1697. MD5: 52ec85f46d9f1164792a3489ecf81009
1698. SHA1: f7ff3b7fbfb36e2eda9f04e86ef60f2d2bb6cbef
1699. 604 4114258
1700. File
1701. Close
1702.  
1703. C:\Users\Public\Music\Sample Music\Maid with the Flaxen Hair.mp3
1704. MD5: 5b3f9e01fc83f4f441ad7b67af09f11e
1705. SHA1: 80a3ee5a53c48bdc94549e0fdfdbaa28ad261c1a
1706. 604 4114272
1707. File
1708. Rename
1709.  
1710. Old Name: C:\Users\Public\Music\Sample Music\Maid with the Flaxen Hair.mp3
1711. New Name: C:\Users\Public\Music\Sample Music\EpG22a-RASJeJaFSbWvusDTLftbNTaghcy35AJsBoRg6Gr7rDhJH+DPMqrAO7VE+A
1712. VBtZEVXIrcl5OsEpSrNCg==.7A2F0ADB1B90B147DABB.no_more_ransom
1713. Imagepath: C:\Users\Administrator\AppData\Local\Temp\factura.exe
1714. MD5: 5b3f9e01fc83f4f441ad7b67af09f11e
1715. SHA1: 80a3ee5a53c48bdc94549e0fdfdbaa28ad261c1a
1716. 604 4114272
1717. File
1718. Open
1719.  
1720. C:\ProgramData\System32\xfs
1721. MD5: f10c079071c47cfd58918e3e72920aa5
1722. SHA1: a16470bf1d09f96060a918a6b4f0f46a1863888b
1723. 604 1428
1724. File
1725. Close
1726.  
1727. C:\ProgramData\System32\xfs
1728. MD5: 9f0a52ec410dc015bbbdb5006476fbee
1729. SHA1: 31abdb3951e1fe8c6f6476f75092d58239f4be23
1730. 604 1594
1731. File
1732. Hide
1733.  
1734. C:\ProgramData\System32\xfs
1735. MD5: 9f0a52ec410dc015bbbdb5006476fbee
1736. SHA1: 31abdb3951e1fe8c6f6476f75092d58239f4be23
1737. 604 1594
1738. File
1739. Open
1740.  
1741. C:\Users\Public\Music\Sample Music\Kalimba.mp3
1742. 604 8414449
1743. File
1744. Close
1745.  
1746. C:\Users\Public\Music\Sample Music\Kalimba.mp3
1747. MD5: b15d6f2196d8e2ddd256524f5662276f
1748. SHA1: c142f307dd2cdddb9979a369c02024e804074d56
1749. 604 8414833
1750. File
1751. Open
1752.  
1753. C:\Users\Public\Music\Sample Music\Kalimba.mp3
1754. MD5: b15d6f2196d8e2ddd256524f5662276f
1755. SHA1: c142f307dd2cdddb9979a369c02024e804074d56
1756. 604 8414833
1757. File
1758. Close
1759.  
1760. C:\Users\Public\Music\Sample Music\Kalimba.mp3
1761. MD5: 1783edfd94f1bba7359238e705b298db
1762. SHA1: df3780405e90cea5622471ef3ab094c0191641a8
1763. 604 8414848
1764. File
1765. Rename
1766.  
1767. Old Name: C:\Users\Public\Music\Sample Music\Kalimba.mp3
1768. New Name: C:\Users\Public\Music\Sample Music\FgPA-zefXcNw-zR2AvLhpmeRnLkAQImTuqhcDdL0E9E=.7A2F0ADB1B90B147DABB
1769. .no_more_ransom
1770. Imagepath: C:\Users\Administrator\AppData\Local\Temp\factura.exe
1771. MD5: 1783edfd94f1bba7359238e705b298db
1772. SHA1: df3780405e90cea5622471ef3ab094c0191641a8
1773. 604 8414848
1774. File
1775. Open
1776.  
1777. C:\ProgramData\System32\xfs
1778. MD5: 9f0a52ec410dc015bbbdb5006476fbee
1779. SHA1: 31abdb3951e1fe8c6f6476f75092d58239f4be23
1780. 604 1594
1781. File
1782. Close
1783.  
1784. C:\ProgramData\System32\xfs
1785. MD5: d1a4f2392188feb2397890f63cc5c953
1786. SHA1: 3fd70395c041bca61e57e211552182b36101321d
1787. 604 1724
1788. Ransom
1789.  
1790. C:\Users\Public\Music\cocpFV_ihD.wav
1791. MD5: 615f35a9891ba630998f6aa13ef45054
1792.  
1793. Malicious Alert
1794. Ransomware
1795.  
1796. Message: Ransomware Activity
1797.  
1798. Malicious Alert
1799. Misc Anom
1800.  
1801. Message: Ransomware Activity
1802.  
1803. File
1804. Hide
1805.  
1806. C:\ProgramData\System32\xfs
1807. MD5: d1a4f2392188feb2397890f63cc5c953
1808. SHA1: 3fd70395c041bca61e57e211552182b36101321d
1809. 604 1724
1810. File
1811. Open
1812.  
1813. C:\ProgramData\System32\xfs
1814. MD5: d1a4f2392188feb2397890f63cc5c953
1815. SHA1: 3fd70395c041bca61e57e211552182b36101321d
1816. 604 1724
1817. File
1818. Failed
1819.  
1820. C:\Users\Public\Documents\My Videos
1821. 604
1822. File
1823. Close
1824.  
1825. C:\ProgramData\System32\xfs
1826. MD5: 4cceb2f587948af3b0d8e06cb1f64bbe
1827. SHA1: 9b6c5e693f25c392fcda60fcbaca508a94d49e7e
1828. 604 1834
1829. File
1830. Failed
1831.  
1832. C:\Users\Public\Documents\My Pictures
1833. 604
1834. File
1835. Failed
1836.  
1837. C:\Users\Public\Documents\My Music
1838. 604
1839. File
1840. Hide
1841.  
1842. C:\ProgramData\System32\xfs
1843. MD5: 4cceb2f587948af3b0d8e06cb1f64bbe
1844. SHA1: 9b6c5e693f25c392fcda60fcbaca508a94d49e7e
1845. 604 1834
1846. Ransom
1847.  
1848. C:\Users\Public\Documents\cZLDe-\xTnfgLg.jpg
1849. MD5: e0b0209e3c8107371d32a0cd757f907f
1850.  
1851. Ransom
1852.  
1853. C:\Users\Public\Documents\cZLDe-\WiPLiBqrX.doc
1854. MD5: c25bd3988639d7aa8be215a50c5bf089
1855.  
1856. Ransom
1857.  
1858. C:\Users\Public\Documents\cZLDe-\NxoFCO.xls
1859. MD5: e17db3c35a95beef2652b2044b08a9d5
1860.  
1861. File
1862. Open
1863.  
1864. C:\ProgramData\System32\xfs
1865. MD5: 4cceb2f587948af3b0d8e06cb1f64bbe
1866. SHA1: 9b6c5e693f25c392fcda60fcbaca508a94d49e7e
1867. 604 1834
1868. File
1869. Close
1870.  
1871. C:\ProgramData\System32\xfs
1872. MD5: a91b81161b47cb9f591c1b8312201022
1873. SHA1: 7a6712f8a35290edccd948478c2ea884aa1cf15d
1874. 604 2022
1875. File
1876. Hide
1877.  
1878. C:\ProgramData\System32\xfs
1879. MD5: a91b81161b47cb9f591c1b8312201022
1880. SHA1: 7a6712f8a35290edccd948478c2ea884aa1cf15d
1881. 604 2022
1882. Ransom
1883.  
1884. C:\Users\Public\Documents\cZLDe-\LG-Lu.txt
1885. MD5: 0a7d2ce4812613c448457291faa21395
1886.  
1887. File
1888. Open
1889.  
1890. C:\ProgramData\System32\xfs
1891. MD5: a91b81161b47cb9f591c1b8312201022
1892. SHA1: 7a6712f8a35290edccd948478c2ea884aa1cf15d
1893. 604 2022
1894. File
1895. Close
1896.  
1897. C:\ProgramData\System32\xfs
1898. MD5: 96248bd1ec5f8e539800db84f2e97f3e
1899. SHA1: 991d080d499317fa1d77d436bfba1c6d93fd42bc
1900. 604 2146
1901. File
1902. Hide
1903.  
1904. C:\ProgramData\System32\xfs
1905. MD5: 96248bd1ec5f8e539800db84f2e97f3e
1906. SHA1: 991d080d499317fa1d77d436bfba1c6d93fd42bc
1907. 604 2146
1908. Ransom
1909.  
1910. C:\Users\Public\Documents\cZLDe-\cyhuszTB.html
1911. MD5: e643ac556bc2ebc061394e77fdad5f8a
1912.  
1913. File
1914. Open
1915.  
1916. C:\ProgramData\System32\xfs
1917. MD5: 96248bd1ec5f8e539800db84f2e97f3e
1918. SHA1: 991d080d499317fa1d77d436bfba1c6d93fd42bc
1919. 604 2146
1920. File
1921. Close
1922.  
1923. C:\ProgramData\System32\xfs
1924. MD5: 56ea7cb505271706cb2974c749cf6aed
1925. SHA1: f4e3373ce1e95fe99e06890b06f731600f90e47d
1926. 604 2268
1927. File
1928. Hide
1929.  
1930. C:\ProgramData\System32\xfs
1931. MD5: 56ea7cb505271706cb2974c749cf6aed
1932. SHA1: f4e3373ce1e95fe99e06890b06f731600f90e47d
1933. 604 2268
1934. Ransom
1935.  
1936. C:\Users\Public\Documents\cZLDe-\CAMEu.ppt
1937. MD5: adf9de9ecd1bd9da5beb369d4e200bbc
1938.  
1939. File
1940. Open
1941.  
1942. C:\ProgramData\System32\xfs
1943. MD5: 56ea7cb505271706cb2974c749cf6aed
1944. SHA1: f4e3373ce1e95fe99e06890b06f731600f90e47d
1945. 604 2268
1946. File
1947. Close
1948.  
1949. C:\ProgramData\System32\xfs
1950. MD5: 16c2db7f9420440cdb48f666e8101fb9
1951. SHA1: c4a9d85e5c35abffd4ffa70089d484e9703c0767
1952. 604 2398
1953. File
1954. Hide
1955.  
1956. C:\ProgramData\System32\xfs
1957. MD5: 16c2db7f9420440cdb48f666e8101fb9
1958. SHA1: c4a9d85e5c35abffd4ffa70089d484e9703c0767
1959. 604 2398
1960. File
1961. Failed
1962.  
1963. C:\Users\Default User
1964. 604
1965. File
1966. Open
1967.  
1968. C:\ProgramData\System32\xfs
1969. MD5: 16c2db7f9420440cdb48f666e8101fb9
1970. SHA1: c4a9d85e5c35abffd4ffa70089d484e9703c0767
1971. 604 2398
1972. File
1973. Close
1974.  
1975. C:\ProgramData\System32\xfs
1976. MD5: 6b82c25051991da4145c958aedd3c587
1977. SHA1: dc822231e62f03a6198be7435f1360ff28ae53d7
1978. 604 2520
1979. File
1980. Hide
1981.  
1982. C:\ProgramData\System32\xfs
1983. MD5: 6b82c25051991da4145c958aedd3c587
1984. SHA1: dc822231e62f03a6198be7435f1360ff28ae53d7
1985. 604 2520
1986. File
1987. Failed
1988.  
1989. C:\Users\Default\Templates
1990. 604
1991. File
1992. Failed
1993.  
1994. C:\Users\Default\Start Menu
1995. 604
1996. File
1997. Failed
1998.  
1999. C:\Users\Default\SendTo
2000. 604
2001. File
2002. Failed
2003.  
2004. C:\Users\Default\Recent
2005. 604
2006. File
2007. Failed
2008.  
2009. C:\Users\Default\PrintHood
2010. 604
2011. File
2012. Failed
2013.  
2014. C:\Users\Default\NetHood
2015. 604
2016. File
2017. Failed
2018.  
2019. C:\Users\Default\My Documents
2020. 604
2021. File
2022. Failed
2023.  
2024. C:\Users\Default\Local Settings
2025. 604
2026. File
2027. Failed
2028.  
2029. C:\Users\Default\Documents\My Videos
2030. 604
2031. File
2032. Failed
2033.  
2034. C:\Users\Default\Documents\My Pictures
2035. 604
2036. File
2037. Failed
2038.  
2039. C:\Users\Default\Documents\My Music
2040. 604
2041. File
2042. Failed
2043.  
2044. C:\Users\Default\Cookies
2045. 604
2046. File
2047. Failed
2048.  
2049. C:\Users\Default\Application Data
2050. 604
2051. Folder
2052. Open
2053.  
2054. C:\Users\Default\AppData\Roaming\Microsoft\Windows\Cookies
2055. 604
2056. File
2057. Failed
2058.  
2059. C:\Users\Default\AppData\Local\Temporary Internet Files
2060. 604
2061. File
2062. Failed
2063.  
2064. C:\Users\Default\AppData\Local\History
2065. 604
2066. File
2067. Failed
2068.  
2069. C:\Users\Default\AppData\Local\Application Data
2070. 604
2071. File
2072. Open
2073.  
2074. C:\Users\Default\NTUSER.DAT.LOG
2075. 604 1024
2076. File
2077. Close
2078.  
2079. C:\Users\Default\NTUSER.DAT.LOG
2080. MD5: 1d37b69cef8145013c7c4519e74a3e05
2081. SHA1: 00966e36b522b98fb24387a6a372d54dbfae959f
2082. 604 1408
2083. File
2084. Open
2085.  
2086. C:\Users\Default\NTUSER.DAT.LOG
2087. MD5: 1d37b69cef8145013c7c4519e74a3e05
2088. SHA1: 00966e36b522b98fb24387a6a372d54dbfae959f
2089. 604 1408
2090. File
2091. Close
2092.  
2093. C:\Users\Default\NTUSER.DAT.LOG
2094. MD5: a68649a030493c9a3fced34a9ce79a7e
2095. SHA1: a6a8cd80c4047637cf2be65df9170f86b2262614
2096. 604 1408
2097. File
2098. Rename
2099.  
2100. Old Name: C:\Users\Default\NTUSER.DAT.LOG
2101. New Name: C:\Users\Default\BQhNoa4s-9gCT5aupZN6EbhSBui8gZbaRaM-QkkmIH0=.7A2F0ADB1B90B147DABB.no_more_ransom
2102. Imagepath: C:\Users\Administrator\AppData\Local\Temp\factura.exe
2103. MD5: a68649a030493c9a3fced34a9ce79a7e
2104. SHA1: a6a8cd80c4047637cf2be65df9170f86b2262614
2105. 604 1408
2106. File
2107. Failed
2108.  
2109. C:\ProgramData\Templates
2110. 604
2111. File
2112. Open
2113.  
2114. C:\ProgramData\System32\xfs
2115. MD5: 6b82c25051991da4145c958aedd3c587
2116. SHA1: dc822231e62f03a6198be7435f1360ff28ae53d7
2117. 604 2520
2118. File
2119. Close
2120.  
2121. C:\ProgramData\System32\xfs
2122. MD5: 7324dcd92102e0493238e75bfb9f54bf
2123. SHA1: 9e2d759db27084b0081a8798885fc5aeeb68195a
2124. 604 2620
2125. File
2126. Hide
2127.  
2128. C:\ProgramData\System32\xfs
2129. MD5: 7324dcd92102e0493238e75bfb9f54bf
2130. SHA1: 9e2d759db27084b0081a8798885fc5aeeb68195a
2131. 604 2620
2132. File
2133. Open
2134.  
2135. C:\ProgramData\Sun\Java\Java Update\jaureglist.xml
2136. 604 185
2137. File
2138. Close
2139.  
2140. C:\ProgramData\Sun\Java\Java Update\jaureglist.xml
2141. MD5: bf79db17f612fd0716bd9170bcd87a44
2142. SHA1: 2a4a45d42c9343831b44b3bfee81a99e19ad236e
2143. 604 569
2144. File
2145. Open
2146.  
2147. C:\ProgramData\Sun\Java\Java Update\jaureglist.xml
2148. MD5: bf79db17f612fd0716bd9170bcd87a44
2149. SHA1: 2a4a45d42c9343831b44b3bfee81a99e19ad236e
2150. 604 569
2151. File
2152. Close
2153.  
2154. C:\ProgramData\Sun\Java\Java Update\jaureglist.xml
2155. MD5: 45f89a51335bc5ab6dc2ec60daad3e9e
2156. SHA1: 36be167bb9eb1d819bd2526153f560fbada3e067
2157. 604 576
2158. File
2159. Rename
2160.  
2161. Old Name: C:\ProgramData\Sun\Java\Java Update\jaureglist.xml
2162. New Name: C:\ProgramData\Sun\Java\Java Update\fYkCjj2U4HrlixMS2nUUVqyPc1sypGnN3YbW3H3bHbQ=.7A2F0ADB1B90B147DAB
2163. B.no_more_ransom
2164. Imagepath: C:\Users\Administrator\AppData\Local\Temp\factura.exe
2165. MD5: 45f89a51335bc5ab6dc2ec60daad3e9e
2166. SHA1: 36be167bb9eb1d819bd2526153f560fbada3e067
2167. 604 576
2168. File
2169. Failed
2170.  
2171. C:\ProgramData\Start Menu
2172. 604
2173. File
2174. Open
2175.  
2176. C:\ProgramData\System32\xfs
2177. MD5: 7324dcd92102e0493238e75bfb9f54bf
2178. SHA1: 9e2d759db27084b0081a8798885fc5aeeb68195a
2179. 604 2620
2180. File
2181. Close
2182.  
2183. C:\ProgramData\System32\xfs
2184. MD5: e55b310507ede3a193041b7956e3851a
2185. SHA1: b0564de0148a5c0dbf0ba9f47fe218af55951e10
2186. 604 2766
2187. File
2188. Hide
2189.  
2190. C:\ProgramData\System32\xfs
2191. MD5: e55b310507ede3a193041b7956e3851a
2192. SHA1: b0564de0148a5c0dbf0ba9f47fe218af55951e10
2193. 604 2766
2194. File
2195. Open
2196.  
2197. C:\ProgramData\RealNetworks\RealDownloader\Scripts\bookmark.js
2198. 604 12021
2199. File
2200. Close
2201.  
2202. C:\ProgramData\RealNetworks\RealDownloader\Scripts\bookmark.js
2203. MD5: 2777bcceafc88c5f3635c4c848df6a29
2204. SHA1: 3f001b3a8d45013ba5608078fcd97e85c02e147d
2205. 604 12405
2206. File
2207. Open
2208.  
2209. C:\ProgramData\RealNetworks\RealDownloader\Scripts\bookmark.js
2210. MD5: 2777bcceafc88c5f3635c4c848df6a29
2211. SHA1: 3f001b3a8d45013ba5608078fcd97e85c02e147d
2212. 604 12405
2213. File
2214. Close
2215.  
2216. C:\ProgramData\RealNetworks\RealDownloader\Scripts\bookmark.js
2217. MD5: 6004bdd76a27d75493790767c7df3811
2218. SHA1: 0dc21a79945f6bf787238409bdfd5f1c963e311f
2219. 604 12416
2220. File
2221. Rename
2222.  
2223. Old Name: C:\ProgramData\RealNetworks\RealDownloader\Scripts\bookmark.js
2224. New Name: C:\ProgramData\RealNetworks\RealDownloader\Scripts\PYFOq5l4lSRFeX3z6RtrpN5Tg3Kd1AWB-NmFIXE36+g=.7A2F
2225. 0ADB1B90B147DABB.no_more_ransom
2226. Imagepath: C:\Users\Administrator\AppData\Local\Temp\factura.exe
2227. MD5: 6004bdd76a27d75493790767c7df3811
2228. SHA1: 0dc21a79945f6bf787238409bdfd5f1c963e311f
2229. 604 12416
2230. File
2231. Open
2232.  
2233. C:\ProgramData\System32\xfs
2234. MD5: e55b310507ede3a193041b7956e3851a
2235. SHA1: b0564de0148a5c0dbf0ba9f47fe218af55951e10
2236. 604 2766
2237. File
2238. Close
2239.  
2240. C:\ProgramData\System32\xfs
2241. MD5: 380f12b8a50094222da495f9ca461bd7
2242. SHA1: d552545fa355133decefbeb85b162a836b753bcf
2243. 604 2936
2244. File
2245. Hide
2246.  
2247. C:\ProgramData\System32\xfs
2248. MD5: 380f12b8a50094222da495f9ca461bd7
2249. SHA1: d552545fa355133decefbeb85b162a836b753bcf
2250. 604 2936
2251. File
2252. Open
2253.  
2254. C:\ProgramData\RealNetworks\RealDownloader\Flash\sharemedia.swf
2255. 604 860148
2256. File
2257. Close
2258.  
2259. C:\ProgramData\RealNetworks\RealDownloader\Flash\sharemedia.swf
2260. MD5: 47267d3bf7b348b0e57f6dcb78805661
2261. SHA1: bef6cdc18df5747147ac16b4688501188d20640a
2262. 604 860532
2263. File
2264. Open
2265.  
2266. C:\ProgramData\RealNetworks\RealDownloader\Flash\sharemedia.swf
2267. MD5: 47267d3bf7b348b0e57f6dcb78805661
2268. SHA1: bef6cdc18df5747147ac16b4688501188d20640a
2269. 604 860532
2270. File
2271. Close
2272.  
2273. C:\ProgramData\RealNetworks\RealDownloader\Flash\sharemedia.swf
2274. MD5: db807af7c8df283ae927b50dc6b212e7
2275. SHA1: 909c5802798cfa8afd84ffb21fbdeefd4bcf2cac
2276. 604 860544
2277. File
2278. Rename
2279.  
2280. Old Name: C:\ProgramData\RealNetworks\RealDownloader\Flash\sharemedia.swf
2281. New Name: C:\ProgramData\RealNetworks\RealDownloader\Flash\po7-b-4o652uQo5+N7pcKtl8hE2UfB5lQjtRNi5-Veg=.7A2F0A
2282. DB1B90B147DABB.no_more_ransom
2283. Imagepath: C:\Users\Administrator\AppData\Local\Temp\factura.exe
2284. MD5: db807af7c8df283ae927b50dc6b212e7
2285. SHA1: 909c5802798cfa8afd84ffb21fbdeefd4bcf2cac
2286. 604 860544
2287. File
2288. Open
2289.  
2290. C:\ProgramData\RealNetworks\RealDownloader\Downloader\madatastore.dat
2291. 604 80
2292. File
2293. Open
2294.  
2295. C:\ProgramData\System32\xfs
2296. MD5: 380f12b8a50094222da495f9ca461bd7
2297. SHA1: d552545fa355133decefbeb85b162a836b753bcf
2298. 604 2936
2299. File
2300. Close
2301.  
2302. C:\ProgramData\RealNetworks\RealDownloader\Downloader\madatastore.dat
2303. MD5: 2a5c34227a08c0d1979539b2810aa152
2304. SHA1: d310663b2de46d2997346f973e98760eb95ae893
2305. 604 464
2306. File
2307. Open
2308.  
2309. C:\ProgramData\RealNetworks\RealDownloader\Downloader\madatastore.dat
2310. MD5: 2a5c34227a08c0d1979539b2810aa152
2311. SHA1: d310663b2de46d2997346f973e98760eb95ae893
2312. 604 464
2313. File
2314. Close
2315.  
2316. C:\ProgramData\System32\xfs
2317. MD5: 4fd5c02485a2269752bbc264f2563765
2318. SHA1: 69d438edd9d50432acaaa57a2779a88427714ce9
2319. 604 3108
2320. File
2321. Hide
2322.  
2323. C:\ProgramData\System32\xfs
2324. MD5: 4fd5c02485a2269752bbc264f2563765
2325. SHA1: 69d438edd9d50432acaaa57a2779a88427714ce9
2326. 604 3108
2327. File
2328. Close
2329.  
2330. C:\ProgramData\RealNetworks\RealDownloader\Downloader\madatastore.dat
2331. MD5: 77be20c155412a250a496ce69217c3fd
2332. SHA1: ca10edfaf3cf553166c1db1ff5d1831e01639999
2333. 604 464
2334. File
2335. Rename
2336.  
2337. Old Name: C:\ProgramData\RealNetworks\RealDownloader\Downloader\madatastore.dat
2338. New Name: C:\ProgramData\RealNetworks\RealDownloader\Downloader\vARsbs6vUdVDw1NVEw7MkNNNSCDYGOUWYvlPPV1ZPEc=.7
2339. A2F0ADB1B90B147DABB.no_more_ransom
2340. Imagepath: C:\Users\Administrator\AppData\Local\Temp\factura.exe
2341. MD5: 77be20c155412a250a496ce69217c3fd
2342. SHA1: ca10edfaf3cf553166c1db1ff5d1831e01639999
2343. 604 464
2344. File
2345. Open
2346.  
2347. C:\ProgramData\System32\xfs
2348. MD5: 4fd5c02485a2269752bbc264f2563765
2349. SHA1: 69d438edd9d50432acaaa57a2779a88427714ce9
2350. 604 3108
2351. File
2352. Close
2353.  
2354. C:\ProgramData\System32\xfs
2355. MD5: f1612e4d2ed195dbd4d1fb16e235fd6c
2356. SHA1: a0c62175588d5988da8dd780a13a7f68f5d1cd8f
2357. 604 3292
2358. File
2359. Hide
2360.  
2361. C:\ProgramData\System32\xfs
2362. MD5: f1612e4d2ed195dbd4d1fb16e235fd6c
2363. SHA1: a0c62175588d5988da8dd780a13a7f68f5d1cd8f
2364. 604 3292
2365. File
2366. Open
2367.  
2368. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\Zune.xml
2369. 604 6783
2370. File
2371. Close
2372.  
2373. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\Zune.xml
2374. MD5: c184b54247e762e885cb1ebffa41fa4e
2375. SHA1: d8f7c6d3b071be3c3461cb9d74ded4c088f061ec
2376. 604 7167
2377. File
2378. Open
2379.  
2380. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\Zune.xml
2381. MD5: c184b54247e762e885cb1ebffa41fa4e
2382. SHA1: d8f7c6d3b071be3c3461cb9d74ded4c088f061ec
2383. 604 7167
2384. File
2385. Close
2386.  
2387. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\Zune.xml
2388. MD5: 694b42cee7cceb3c033c0e6a6152b728
2389. SHA1: 8fec98d6b2f6b8416d73064fb1adc58d68d7382e
2390. 604 7168
2391. File
2392. Rename
2393.  
2394. Old Name: C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\Zune.xml
2395. New Name: C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\Yms2LC7ttj7D3RR+pa45+Q==.7A2F0ADB1B90B147D
2396. ABB.no_more_ransom
2397. Imagepath: C:\Users\Administrator\AppData\Local\Temp\factura.exe
2398. MD5: 694b42cee7cceb3c033c0e6a6152b728
2399. SHA1: 8fec98d6b2f6b8416d73064fb1adc58d68d7382e
2400. 604 7168
2401. File
2402. Open
2403.  
2404. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\Xbox360.xml
2405. 604 6691
2406. File
2407. Open
2408.  
2409. C:\ProgramData\System32\xfs
2410. MD5: f1612e4d2ed195dbd4d1fb16e235fd6c
2411. SHA1: a0c62175588d5988da8dd780a13a7f68f5d1cd8f
2412. 604 3292
2413. File
2414. Close
2415.  
2416. C:\ProgramData\System32\xfs
2417. MD5: 088b3d2587573b18d49654409f5269d8
2418. SHA1: 5b7d647a6279cbab8fa085eb55fbaed7fbd34d9f
2419. 604 3470
2420. File
2421. Hide
2422.  
2423. C:\ProgramData\System32\xfs
2424. MD5: 088b3d2587573b18d49654409f5269d8
2425. SHA1: 5b7d647a6279cbab8fa085eb55fbaed7fbd34d9f
2426. 604 3470
2427. File
2428. Close
2429.  
2430. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\Xbox360.xml
2431. MD5: 5be94aa15d27bd5c6d2d44dfd800808e
2432. SHA1: fc419c9b0af50ab3664b13f96fafd8cd11a298ad
2433. 604 7075
2434. File
2435. Open
2436.  
2437. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\Xbox360.xml
2438. MD5: 5be94aa15d27bd5c6d2d44dfd800808e
2439. SHA1: fc419c9b0af50ab3664b13f96fafd8cd11a298ad
2440. 604 7075
2441. File
2442. Close
2443.  
2444. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\Xbox360.xml
2445. MD5: 273ae25a20a9c161bd04f95d407966ff
2446. SHA1: e786377cddf92230676e9b58819357c766cdb990
2447. 604 7088
2448. File
2449. Rename
2450.  
2451. Old Name: C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\Xbox360.xml
2452. New Name: C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\lhtH9E-Z3zcCvX9fWVoxcXIB1b+hI5zsZSjTNvKe2j
2453. U=.7A2F0ADB1B90B147DABB.no_more_ransom
2454. Imagepath: C:\Users\Administrator\AppData\Local\Temp\factura.exe
2455. MD5: 273ae25a20a9c161bd04f95d407966ff
2456. SHA1: e786377cddf92230676e9b58819357c766cdb990
2457. 604 7088
2458. File
2459. Open
2460.  
2461. C:\ProgramData\System32\xfs
2462. MD5: 088b3d2587573b18d49654409f5269d8
2463. SHA1: 5b7d647a6279cbab8fa085eb55fbaed7fbd34d9f
2464. 604 3470
2465. File
2466. Close
2467.  
2468. C:\ProgramData\System32\xfs
2469. MD5: 1108642c696e20c0ef5c60d41505216d
2470. SHA1: 31864df068aa180dff0d79eba38bb877fafda7fd
2471. 604 3654
2472. File
2473. Hide
2474.  
2475. C:\ProgramData\System32\xfs
2476. MD5: 1108642c696e20c0ef5c60d41505216d
2477. SHA1: 31864df068aa180dff0d79eba38bb877fafda7fd
2478. 604 3654
2479. File
2480. Open
2481.  
2482. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\T-MobileG1.xml
2483. 604 4649
2484. File
2485. Close
2486.  
2487. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\T-MobileG1.xml
2488. MD5: 1a9a423a6ecfe4f81e830a2371df7cf3
2489. SHA1: 08e596a9583235e347b45185dc92e241b1e6a6f1
2490. 604 5033
2491. File
2492. Open
2493.  
2494. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\T-MobileG1.xml
2495. MD5: 1a9a423a6ecfe4f81e830a2371df7cf3
2496. SHA1: 08e596a9583235e347b45185dc92e241b1e6a6f1
2497. 604 5033
2498. File
2499. Close
2500.  
2501. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\T-MobileG1.xml
2502. MD5: 145fc2015bc840e07a1efac5ccc0b846
2503. SHA1: e6c8f81e25e5ebf316fca7cb78c6c5e233fa13bd
2504. 604 5040
2505. File
2506. Rename
2507.  
2508. Old Name: C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\T-MobileG1.xml
2509. New Name: C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\KSJA8NBynNjzop7lpo3ut8TML0b0mWFEdUs90KMdh1
2510. s=.7A2F0ADB1B90B147DABB.no_more_ransom
2511. Imagepath: C:\Users\Administrator\AppData\Local\Temp\factura.exe
2512. MD5: 145fc2015bc840e07a1efac5ccc0b846
2513. SHA1: e6c8f81e25e5ebf316fca7cb78c6c5e233fa13bd
2514. 604 5040
2515. File
2516. Open
2517.  
2518. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\SonyEricssonW760.xml
2519. 604 5363
2520. File
2521. Open
2522.  
2523. C:\ProgramData\System32\xfs
2524. MD5: 1108642c696e20c0ef5c60d41505216d
2525. SHA1: 31864df068aa180dff0d79eba38bb877fafda7fd
2526. 604 3654
2527. File
2528. Close
2529.  
2530. C:\ProgramData\System32\xfs
2531. MD5: 808401175319073e68d6cf269dfff305
2532. SHA1: 6d30278c69e379eab8fd25ece7186d2bee126c5f
2533. 604 3844
2534. File
2535. Hide
2536.  
2537. C:\ProgramData\System32\xfs
2538. MD5: 808401175319073e68d6cf269dfff305
2539. SHA1: 6d30278c69e379eab8fd25ece7186d2bee126c5f
2540. 604 3844
2541. File
2542. Close
2543.  
2544. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\SonyEricssonW760.xml
2545. MD5: ea25ddae9cbfc44dee48ab4c094e92a6
2546. SHA1: 17c8acaf8efd005770b9e24d64d39623832214f8
2547. 604 5747
2548. File
2549. Open
2550.  
2551. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\SonyEricssonW760.xml
2552. MD5: ea25ddae9cbfc44dee48ab4c094e92a6
2553. SHA1: 17c8acaf8efd005770b9e24d64d39623832214f8
2554. 604 5747
2555. File
2556. Close
2557.  
2558. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\SonyEricssonW760.xml
2559. MD5: efb2876d81d1c067f11512549cffcc6e
2560. SHA1: 0412c57773f0a66c860cbc0ba7a6e15a6f4b45fe
2561. 604 5760
2562. File
2563. Rename
2564.  
2565. Old Name: C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\SonyEricssonW760.xml
2566. New Name: C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\02imqzJMzhdtLtqkdBHUUKrRFdn16zvLyxuB5i4LOV
2567. oA3G1YkJs9ouhuLE+sjqXX.7A2F0ADB1B90B147DABB.no_more_ransom
2568. Imagepath: C:\Users\Administrator\AppData\Local\Temp\factura.exe
2569. MD5: efb2876d81d1c067f11512549cffcc6e
2570. SHA1: 0412c57773f0a66c860cbc0ba7a6e15a6f4b45fe
2571. 604 5760
2572. File
2573. Open
2574.  
2575. C:\ProgramData\System32\xfs
2576. MD5: 808401175319073e68d6cf269dfff305
2577. SHA1: 6d30278c69e379eab8fd25ece7186d2bee126c5f
2578. 604 3844
2579. File
2580. Close
2581.  
2582. C:\ProgramData\System32\xfs
2583. MD5: 9ab60b58240e908524497674b4b541c8
2584. SHA1: 0747b2855ab4345075253c71ffd465ef618e3f38
2585. 604 4046
2586. File
2587. Hide
2588.  
2589. C:\ProgramData\System32\xfs
2590. MD5: 9ab60b58240e908524497674b4b541c8
2591. SHA1: 0747b2855ab4345075253c71ffd465ef618e3f38
2592. 604 4046
2593. File
2594. Open
2595.  
2596. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\Sidekick.xml
2597. 604 4014
2598. File
2599. Close
2600.  
2601. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\Sidekick.xml
2602. MD5: 387ba605bda41d97ff79dc82d437095f
2603. SHA1: 7179f123148025273b93826d3362782deddc0788
2604. 604 4398
2605. File
2606. Open
2607.  
2608. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\Sidekick.xml
2609. MD5: 387ba605bda41d97ff79dc82d437095f
2610. SHA1: 7179f123148025273b93826d3362782deddc0788
2611. 604 4398
2612. File
2613. Close
2614.  
2615. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\Sidekick.xml
2616. MD5: fa2e7e1279155e7667a7530092cf86a0
2617. SHA1: 6a255067887d856ec8e7154e183a8d8640c0c522
2618. 604 4400
2619. File
2620. Rename
2621.  
2622. Old Name: C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\Sidekick.xml
2623. New Name: C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\uninQwZmvkMwO8A8L4h-c+Q-Rw9QGP2HqclnC+uHHV
2624. 4=.7A2F0ADB1B90B147DABB.no_more_ransom
2625. Imagepath: C:\Users\Administrator\AppData\Local\Temp\factura.exe
2626. MD5: fa2e7e1279155e7667a7530092cf86a0
2627. SHA1: 6a255067887d856ec8e7154e183a8d8640c0c522
2628. 604 4400
2629. File
2630. Open
2631.  
2632. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\SamsungMoment.xml
2633. 604 7105
2634. File
2635. Open
2636.  
2637. C:\ProgramData\System32\xfs
2638. MD5: 9ab60b58240e908524497674b4b541c8
2639. SHA1: 0747b2855ab4345075253c71ffd465ef618e3f38
2640. 604 4046
2641. File
2642. Close
2643.  
2644. C:\ProgramData\System32\xfs
2645. MD5: 51229eaef48abc70e448fbeea34076b5
2646. SHA1: 1aa762f1c13a735573968dc6487c024e9ed658ef
2647. 604 4232
2648. File
2649. Hide
2650.  
2651. C:\ProgramData\System32\xfs
2652. MD5: 51229eaef48abc70e448fbeea34076b5
2653. SHA1: 1aa762f1c13a735573968dc6487c024e9ed658ef
2654. 604 4232
2655. File
2656. Close
2657.  
2658. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\SamsungMoment.xml
2659. MD5: 4d279b826e54a73726b5d9fbb8df7888
2660. SHA1: 42ab163c3e8234203a8dcc54bfc2b85b4f469f79
2661. 604 7489
2662. File
2663. Open
2664.  
2665. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\SamsungMoment.xml
2666. MD5: 4d279b826e54a73726b5d9fbb8df7888
2667. SHA1: 42ab163c3e8234203a8dcc54bfc2b85b4f469f79
2668. 604 7489
2669. File
2670. Close
2671.  
2672. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\SamsungMoment.xml
2673. MD5: 2ea94923c9e3df1d2c39f25469d3602f
2674. SHA1: 49358c1987aa7f4f58151938cf1f6bd3765c8d5d
2675. 604 7504
2676. File
2677. Rename
2678.  
2679. Old Name: C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\SamsungMoment.xml
2680. New Name: C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\exkuUO7i5KEr5Y3HiFe3Tw0WAJK9y9uMqff6AwrPuE
2681. +zdVR8rA+pf86L6n2TPRmq.7A2F0ADB1B90B147DABB.no_more_ransom
2682. Imagepath: C:\Users\Administrator\AppData\Local\Temp\factura.exe
2683. MD5: 2ea94923c9e3df1d2c39f25469d3602f
2684. SHA1: 49358c1987aa7f4f58151938cf1f6bd3765c8d5d
2685. 604 7504
2686. File
2687. Open
2688.  
2689. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\SamsungMemoir.xml
2690. 604 5458
2691. File
2692. Open
2693.  
2694. C:\ProgramData\System32\xfs
2695. MD5: 51229eaef48abc70e448fbeea34076b5
2696. SHA1: 1aa762f1c13a735573968dc6487c024e9ed658ef
2697. 604 4232
2698. File
2699. Close
2700.  
2701. C:\ProgramData\System32\xfs
2702. MD5: 73996aa8e26096f4cc1483ca84028531
2703. SHA1: 0c10264059ee938303937982abd0338ebb3c3671
2704. 604 4428
2705. File
2706. Hide
2707.  
2708. C:\ProgramData\System32\xfs
2709. MD5: 73996aa8e26096f4cc1483ca84028531
2710. SHA1: 0c10264059ee938303937982abd0338ebb3c3671
2711. 604 4428
2712. File
2713. Close
2714.  
2715. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\SamsungMemoir.xml
2716. MD5: 240d2245dcd494f5d6fb5fc8da67f1a6
2717. SHA1: 09dabe48ea2155c85b46016c5cf8efccb8dae39d
2718. 604 5842
2719. File
2720. Open
2721.  
2722. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\SamsungMemoir.xml
2723. MD5: 240d2245dcd494f5d6fb5fc8da67f1a6
2724. SHA1: 09dabe48ea2155c85b46016c5cf8efccb8dae39d
2725. 604 5842
2726. File
2727. Close
2728.  
2729. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\SamsungMemoir.xml
2730. MD5: 5ea0553c92edf8510769d036fff1759a
2731. SHA1: 6bee3ed7e2bb5e74bcbb6795af7f60cc78713783
2732. 604 5856
2733. File
2734. Rename
2735.  
2736. Old Name: C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\SamsungMemoir.xml
2737. New Name: C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\0FhNN0+4a7HQlHd82oMsdwGQ2or3MsmZdaJ6U6ubTu
2738. 6oFvmrSofqF+zoc7VmnkuV.7A2F0ADB1B90B147DABB.no_more_ransom
2739. Imagepath: C:\Users\Administrator\AppData\Local\Temp\factura.exe
2740. MD5: 5ea0553c92edf8510769d036fff1759a
2741. SHA1: 6bee3ed7e2bb5e74bcbb6795af7f60cc78713783
2742. 604 5856
2743. File
2744. Open
2745.  
2746. C:\ProgramData\System32\xfs
2747. MD5: 73996aa8e26096f4cc1483ca84028531
2748. SHA1: 0c10264059ee938303937982abd0338ebb3c3671
2749. 604 4428
2750. File
2751. Close
2752.  
2753. C:\ProgramData\System32\xfs
2754. MD5: 8371abd406c44d480e2381fc98b089d3
2755. SHA1: 9c6098a35f9dd90379df3ab618172e5bc0e24873
2756. 604 4624
2757. File
2758. Open
2759.  
2760. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\SamsungJack.xml
2761. 604 6033
2762. File
2763. Hide
2764.  
2765. C:\ProgramData\System32\xfs
2766. MD5: 8371abd406c44d480e2381fc98b089d3
2767. SHA1: 9c6098a35f9dd90379df3ab618172e5bc0e24873
2768. 604 4624
2769. File
2770. Close
2771.  
2772. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\SamsungJack.xml
2773. MD5: 75eaa5e6d3485132d3246184e042f8f8
2774. SHA1: b67eafe273faef4899f95abc6b6de9a662528be6
2775. 604 6417
2776. File
2777. Open
2778.  
2779. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\SamsungJack.xml
2780. MD5: 75eaa5e6d3485132d3246184e042f8f8
2781. SHA1: b67eafe273faef4899f95abc6b6de9a662528be6
2782. 604 6417
2783. File
2784. Close
2785.  
2786. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\SamsungJack.xml
2787. MD5: af133ce0dd7d1bab614fb4ed16e0fc9c
2788. SHA1: 05b721cf2dbc26ea6f3556cdfdddda0cf79cf18e
2789. 604 6432
2790. File
2791. Rename
2792.  
2793. Old Name: C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\SamsungJack.xml
2794. New Name: C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\NgcaHL0pivRAgpFzavanafFxCnQer4R31jAyJZTTIn
2795. Q=.7A2F0ADB1B90B147DABB.no_more_ransom
2796. Imagepath: C:\Users\Administrator\AppData\Local\Temp\factura.exe
2797. MD5: af133ce0dd7d1bab614fb4ed16e0fc9c
2798. SHA1: 05b721cf2dbc26ea6f3556cdfdddda0cf79cf18e
2799. 604 6432
2800. File
2801. Open
2802.  
2803. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\SamsungGalaxyS3.xml
2804. 604 9171
2805. File
2806. Open
2807.  
2808. C:\ProgramData\System32\xfs
2809. MD5: 8371abd406c44d480e2381fc98b089d3
2810. SHA1: 9c6098a35f9dd90379df3ab618172e5bc0e24873
2811. 604 4624
2812. File
2813. Close
2814.  
2815. C:\ProgramData\System32\xfs
2816. MD5: f2ac000a81aa51bc5d48674a30a4f1e0
2817. SHA1: 3f241b98cf33675d97c50615d1671940ec28e60d
2818. 604 4816
2819. File
2820. Hide
2821.  
2822. C:\ProgramData\System32\xfs
2823. MD5: f2ac000a81aa51bc5d48674a30a4f1e0
2824. SHA1: 3f241b98cf33675d97c50615d1671940ec28e60d
2825. 604 4816
2826. File
2827. Close
2828.  
2829. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\SamsungGalaxyS3.xml
2830. MD5: 2d00bddb3a54e51e000065f2d8ebaddf
2831. SHA1: 35264efacba25d061b3864cdecfaf18b450ce0ce
2832. 604 9555
2833. File
2834. Open
2835.  
2836. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\SamsungGalaxyS3.xml
2837. MD5: 2d00bddb3a54e51e000065f2d8ebaddf
2838. SHA1: 35264efacba25d061b3864cdecfaf18b450ce0ce
2839. 604 9555
2840. File
2841. Close
2842.  
2843. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\SamsungGalaxyS3.xml
2844. MD5: 1cf144adac94cd537b47ee4f21dd10d6
2845. SHA1: f1cf3fec6341874c5896d9d63a84f7c6cb97bfc5
2846. 604 9568
2847. File
2848. Rename
2849.  
2850. Old Name: C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\SamsungGalaxyS3.xml
2851. New Name: C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\oupMqDzQmWdjlHlZ6TG+YuKeqrFOGJf4hNcwrq3y6H
2852. 8TtYV8hLU5KWpQS7-jd-jQ.7A2F0ADB1B90B147DABB.no_more_ransom
2853. Imagepath: C:\Users\Administrator\AppData\Local\Temp\factura.exe
2854. MD5: 1cf144adac94cd537b47ee4f21dd10d6
2855. SHA1: f1cf3fec6341874c5896d9d63a84f7c6cb97bfc5
2856. 604 9568
2857. File
2858. Open
2859.  
2860. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\SamsungGalaxyS2.xml
2861. 604 9459
2862. File
2863. Open
2864.  
2865. C:\ProgramData\System32\xfs
2866. MD5: f2ac000a81aa51bc5d48674a30a4f1e0
2867. SHA1: 3f241b98cf33675d97c50615d1671940ec28e60d
2868. 604 4816
2869. File
2870. Close
2871.  
2872. C:\ProgramData\System32\xfs
2873. MD5: 63c80283c4e2f69c8a70a5f9e8ab395f
2874. SHA1: bbb0fb6287db67eed652409a40df563edb241c24
2875. 604 5016
2876. File
2877. Hide
2878.  
2879. C:\ProgramData\System32\xfs
2880. MD5: 63c80283c4e2f69c8a70a5f9e8ab395f
2881. SHA1: bbb0fb6287db67eed652409a40df563edb241c24
2882. 604 5016
2883. File
2884. Close
2885.  
2886. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\SamsungGalaxyS2.xml
2887. MD5: d4dc9df19bcb162fe81194e9d5ad3a33
2888. SHA1: 6eca36042a9eccef37b9d0db15550377b40243b8
2889. 604 9843
2890. File
2891. Open
2892.  
2893. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\SamsungGalaxyS2.xml
2894. MD5: d4dc9df19bcb162fe81194e9d5ad3a33
2895. SHA1: 6eca36042a9eccef37b9d0db15550377b40243b8
2896. 604 9843
2897. File
2898. Close
2899.  
2900. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\SamsungGalaxyS2.xml
2901. MD5: bf42aecd830042694bb57d15e42a6aef
2902. SHA1: 5e6f30b3f7688358a59ba0d944680fea3740499a
2903. 604 9856
2904. File
2905. Rename
2906.  
2907. Old Name: C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\SamsungGalaxyS2.xml
2908. New Name: C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\H46UnhdE0tMJ8VOrybgp48X6NDRw2DQTU46EF99Ms1
2909. sNoeWyNhSBLmvZLa83PmAV.7A2F0ADB1B90B147DABB.no_more_ransom
2910. Imagepath: C:\Users\Administrator\AppData\Local\Temp\factura.exe
2911. MD5: bf42aecd830042694bb57d15e42a6aef
2912. SHA1: 5e6f30b3f7688358a59ba0d944680fea3740499a
2913. 604 9856
2914. File
2915. Open
2916.  
2917. C:\ProgramData\System32\xfs
2918. MD5: 63c80283c4e2f69c8a70a5f9e8ab395f
2919. SHA1: bbb0fb6287db67eed652409a40df563edb241c24
2920. 604 5016
2921. File
2922. Open
2923.  
2924. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\SamsungGalaxyNote.xml
2925. 604 9148
2926. File
2927. Close
2928.  
2929. C:\ProgramData\System32\xfs
2930. MD5: d23451717faef006838316174ef64585
2931. SHA1: f15e966f3e6ee81bedbc4d045060640becc2ecc7
2932. 604 5216
2933. File
2934. Hide
2935.  
2936. C:\ProgramData\System32\xfs
2937. MD5: d23451717faef006838316174ef64585
2938. SHA1: f15e966f3e6ee81bedbc4d045060640becc2ecc7
2939. 604 5216
2940. File
2941. Close
2942.  
2943. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\SamsungGalaxyNote.xml
2944. MD5: baac8853d55a81b675a91babc6e30e12
2945. SHA1: ef93db41dab7bca35fa3b602f6c06be9efc81c4c
2946. 604 9532
2947. File
2948. Open
2949.  
2950. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\SamsungGalaxyNote.xml
2951. MD5: baac8853d55a81b675a91babc6e30e12
2952. SHA1: ef93db41dab7bca35fa3b602f6c06be9efc81c4c
2953. 604 9532
2954. File
2955. Close
2956.  
2957. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\SamsungGalaxyNote.xml
2958. MD5: 6a3ab23d1631917486509bf382236df8
2959. SHA1: 2b0cde1c97178151c690d406f38cb2ce26e113eb
2960. 604 9536
2961. File
2962. Rename
2963.  
2964. Old Name: C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\SamsungGalaxyNote.xml
2965. New Name: C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\qq9O1JbBBBi477CMcrMndJT08n4RkwqJrJUCm7jCHs
2966. V4yowBrvobSRgaTHqvJtBi.7A2F0ADB1B90B147DABB.no_more_ransom
2967. Imagepath: C:\Users\Administrator\AppData\Local\Temp\factura.exe
2968. MD5: 6a3ab23d1631917486509bf382236df8
2969. SHA1: 2b0cde1c97178151c690d406f38cb2ce26e113eb
2970. 604 9536
2971. File
2972. Open
2973.  
2974. C:\ProgramData\System32\xfs
2975. MD5: d23451717faef006838316174ef64585
2976. SHA1: f15e966f3e6ee81bedbc4d045060640becc2ecc7
2977. 604 5216
2978. File
2979. Close
2980.  
2981. C:\ProgramData\System32\xfs
2982. MD5: 8541dcaf4a469f6f6a3bc60a77dc1374
2983. SHA1: c8723053425af261fbef70151fbb6841d3580faa
2984. 604 5420
2985. File
2986. Open
2987.  
2988. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\SamsungEternity.xml
2989. 604 6520
2990. File
2991. Hide
2992.  
2993. C:\ProgramData\System32\xfs
2994. MD5: 8541dcaf4a469f6f6a3bc60a77dc1374
2995. SHA1: c8723053425af261fbef70151fbb6841d3580faa
2996. 604 5420
2997. File
2998. Close
2999.  
3000. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\SamsungEternity.xml
3001. MD5: 9f891b8321615ba959ccef8720eb0e73
3002. SHA1: 0ac22f087d75b1332cf3fbdba8266c3e45825092
3003. 604 6904
3004. File
3005. Open
3006.  
3007. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\SamsungEternity.xml
3008. MD5: 9f891b8321615ba959ccef8720eb0e73
3009. SHA1: 0ac22f087d75b1332cf3fbdba8266c3e45825092
3010. 604 6904
3011. File
3012. Close
3013.  
3014. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\SamsungEternity.xml
3015. MD5: f0fd7dfaeb600ddeb3272092e8485ade
3016. SHA1: 13a19b7135d899b5407d95f44f21d8b1246771ae
3017. 604 6912
3018. File
3019. Rename
3020.  
3021. Old Name: C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\SamsungEternity.xml
3022. New Name: C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\f6l1wLbDDtkSyWk+7jVhLan3rgCgD98dlFE+3z9oI6
3023. ut+QMa2-g-efQH+FJcC5WT.7A2F0ADB1B90B147DABB.no_more_ransom
3024. Imagepath: C:\Users\Administrator\AppData\Local\Temp\factura.exe
3025. MD5: f0fd7dfaeb600ddeb3272092e8485ade
3026. SHA1: 13a19b7135d899b5407d95f44f21d8b1246771ae
3027. 604 6912
3028. File
3029. Open
3030.  
3031. C:\ProgramData\System32\xfs
3032. MD5: 8541dcaf4a469f6f6a3bc60a77dc1374
3033. SHA1: c8723053425af261fbef70151fbb6841d3580faa
3034. 604 5420
3035. File
3036. Open
3037.  
3038. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\SamsungBeholdII.xml
3039. 604 5164
3040. File
3041. Close
3042.  
3043. C:\ProgramData\System32\xfs
3044. MD5: 72464befa235d477254864a3078174ea
3045. SHA1: 6213b1233bab057d23ef7b78b1f43c7855df9a21
3046. 604 5620
3047. File
3048. Hide
3049.  
3050. C:\ProgramData\System32\xfs
3051. MD5: 72464befa235d477254864a3078174ea
3052. SHA1: 6213b1233bab057d23ef7b78b1f43c7855df9a21
3053. 604 5620
3054. File
3055. Close
3056.  
3057. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\SamsungBeholdII.xml
3058. MD5: 2bee511cffad099ab400d42afcd1c53e
3059. SHA1: f90ad767bd205b099f08c79640d1e815a74293ee
3060. 604 5548
3061. File
3062. Open
3063.  
3064. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\SamsungBeholdII.xml
3065. MD5: 2bee511cffad099ab400d42afcd1c53e
3066. SHA1: f90ad767bd205b099f08c79640d1e815a74293ee
3067. 604 5548
3068. File
3069. Close
3070.  
3071. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\SamsungBeholdII.xml
3072. MD5: 7fbd801070f1f60ca4e42a6ffd06dbcd
3073. SHA1: 26a46620bf2c29e94584d5ae565dea6c2560ff0b
3074. 604 5552
3075. File
3076. Rename
3077.  
3078. Old Name: C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\SamsungBeholdII.xml
3079. New Name: C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\x5bCKfHJlECvbho1SRjDUX5bUm+g1BExr0WncGPIBj
3080. tCe9Whr4Jsop6XtF9HQvBv.7A2F0ADB1B90B147DABB.no_more_ransom
3081. Imagepath: C:\Users\Administrator\AppData\Local\Temp\factura.exe
3082. MD5: 7fbd801070f1f60ca4e42a6ffd06dbcd
3083. SHA1: 26a46620bf2c29e94584d5ae565dea6c2560ff0b
3084. 604 5552
3085. File
3086. Open
3087.  
3088. C:\ProgramData\System32\xfs
3089. MD5: 72464befa235d477254864a3078174ea
3090. SHA1: 6213b1233bab057d23ef7b78b1f43c7855df9a21
3091. 604 5620
3092. File
3093. Open
3094.  
3095. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\Samsung.xml
3096. 604 6497
3097. File
3098. Close
3099.  
3100. C:\ProgramData\System32\xfs
3101. MD5: d55fdaddead04ef4b8126cb90431dffa
3102. SHA1: a2eb62311b84e2aa05d2157562a934328aacb650
3103. 604 5820
3104. File
3105. Hide
3106.  
3107. C:\ProgramData\System32\xfs
3108. MD5: d55fdaddead04ef4b8126cb90431dffa
3109. SHA1: a2eb62311b84e2aa05d2157562a934328aacb650
3110. 604 5820
3111. File
3112. Close
3113.  
3114. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\Samsung.xml
3115. MD5: b43a4c62b3978cb863cbc586fff2ca07
3116. SHA1: 15ba48fc91de2ebd10e71c999c7f72c9b339dc03
3117. 604 6881
3118. File
3119. Open
3120.  
3121. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\Samsung.xml
3122. MD5: b43a4c62b3978cb863cbc586fff2ca07
3123. SHA1: 15ba48fc91de2ebd10e71c999c7f72c9b339dc03
3124. 604 6881
3125. File
3126. Close
3127.  
3128. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\Samsung.xml
3129. MD5: 70721dd35b4cc705d1d01d9a741b97ab
3130. SHA1: 8392432d4985e2ac259f8e2d4f41552821c4c999
3131. 604 6896
3132. File
3133. Rename
3134.  
3135. Old Name: C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\Samsung.xml
3136. New Name: C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\vQPhHe23jv4OrMOzOnLSUGP6ZBVmGKon9GD1pB080G
3137. o=.7A2F0ADB1B90B147DABB.no_more_ransom
3138. Imagepath: C:\Users\Administrator\AppData\Local\Temp\factura.exe
3139. MD5: 70721dd35b4cc705d1d01d9a741b97ab
3140. SHA1: 8392432d4985e2ac259f8e2d4f41552821c4c999
3141. 604 6896
3142. File
3143. Open
3144.  
3145. C:\ProgramData\System32\xfs
3146. MD5: d55fdaddead04ef4b8126cb90431dffa
3147. SHA1: a2eb62311b84e2aa05d2157562a934328aacb650
3148. 604 5820
3149. File
3150. Open
3151.  
3152. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\PSP.xml
3153. 604 4818
3154. File
3155. Close
3156.  
3157. C:\ProgramData\System32\xfs
3158. MD5: f40c6f323dda67468533dac61b7fd4ca
3159. SHA1: d385e46a489e1e8c074d809c8836da960cf41620
3160. 604 6004
3161. File
3162. Hide
3163.  
3164. C:\ProgramData\System32\xfs
3165. MD5: f40c6f323dda67468533dac61b7fd4ca
3166. SHA1: d385e46a489e1e8c074d809c8836da960cf41620
3167. 604 6004
3168. File
3169. Close
3170.  
3171. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\PSP.xml
3172. MD5: a04f7ac6ddac2afaffe33cfc93ebb7aa
3173. SHA1: 18b8721ba03e848e9f9f8331230a2ecfebbfa857
3174. 604 5202
3175. File
3176. Open
3177.  
3178. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\PSP.xml
3179. MD5: a04f7ac6ddac2afaffe33cfc93ebb7aa
3180. SHA1: 18b8721ba03e848e9f9f8331230a2ecfebbfa857
3181. 604 5202
3182. File
3183. Close
3184.  
3185. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\PSP.xml
3186. MD5: 8acf1f77304c16700ac42eee28991732
3187. SHA1: 66d619ca8f970cd3e669147d2aa9cc4c6bebf3df
3188. 604 5216
3189. File
3190. Rename
3191.  
3192. Old Name: C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\PSP.xml
3193. New Name: C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\UQiEmkNdPK+Y7yTLeh5GHA==.7A2F0ADB1B90B147D
3194. ABB.no_more_ransom
3195. Imagepath: C:\Users\Administrator\AppData\Local\Temp\factura.exe
3196. MD5: 8acf1f77304c16700ac42eee28991732
3197. SHA1: 66d619ca8f970cd3e669147d2aa9cc4c6bebf3df
3198. 604 5216
3199. File
3200. Open
3201.  
3202. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\PlayStation3.xml
3203. 604 6708
3204. File
3205. Open
3206.  
3207. C:\ProgramData\System32\xfs
3208. MD5: f40c6f323dda67468533dac61b7fd4ca
3209. SHA1: d385e46a489e1e8c074d809c8836da960cf41620
3210. 604 6004
3211. File
3212. Close
3213.  
3214. C:\ProgramData\System32\xfs
3215. MD5: c1169d8afe6832b1038374ff7eb154ec
3216. SHA1: 6ea322769ba990412d9e4aaf945533b58958e494
3217. 604 6180
3218. File
3219. Hide
3220.  
3221. C:\ProgramData\System32\xfs
3222. MD5: c1169d8afe6832b1038374ff7eb154ec
3223. SHA1: 6ea322769ba990412d9e4aaf945533b58958e494
3224. 604 6180
3225. File
3226. Close
3227.  
3228. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\PlayStation3.xml
3229. MD5: 9b59c2caadfd97c3091240952f84fbac
3230. SHA1: c269fbbca452fdcdcbc94d4335a558bfa934b242
3231. 604 7092
3232. File
3233. Open
3234.  
3235. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\PlayStation3.xml
3236. MD5: 9b59c2caadfd97c3091240952f84fbac
3237. SHA1: c269fbbca452fdcdcbc94d4335a558bfa934b242
3238. 604 7092
3239. File
3240. Close
3241.  
3242. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\PlayStation3.xml
3243. MD5: ef43c1c7263ba6927a55e9fd7f799200
3244. SHA1: 2b5b589dec02ef09d3362568368292f6f776ab14
3245. 604 7104
3246. File
3247. Rename
3248.  
3249. Old Name: C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\PlayStation3.xml
3250. New Name: C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\XKJA+KWgahf1pps-wS-VsEMJLs3jJjuDBcs4mgBexP
3251. k=.7A2F0ADB1B90B147DABB.no_more_ransom
3252. Imagepath: C:\Users\Administrator\AppData\Local\Temp\factura.exe
3253. MD5: ef43c1c7263ba6927a55e9fd7f799200
3254. SHA1: 2b5b589dec02ef09d3362568368292f6f776ab14
3255. 604 7104
3256. File
3257. Open
3258.  
3259. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\PCorMac.xml
3260. 604 9992
3261. File
3262. Open
3263.  
3264. C:\ProgramData\System32\xfs
3265. MD5: c1169d8afe6832b1038374ff7eb154ec
3266. SHA1: 6ea322769ba990412d9e4aaf945533b58958e494
3267. 604 6180
3268. File
3269. Close
3270.  
3271. C:\ProgramData\System32\xfs
3272. MD5: 52605d341648947ba3d2e3138050a5bc
3273. SHA1: c82d5d8939d862a2c1d417dff074655e83f0f78d
3274. 604 6374
3275. File
3276. Hide
3277.  
3278. C:\ProgramData\System32\xfs
3279. MD5: 52605d341648947ba3d2e3138050a5bc
3280. SHA1: c82d5d8939d862a2c1d417dff074655e83f0f78d
3281. 604 6374
3282. File
3283. Close
3284.  
3285. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\PCorMac.xml
3286. MD5: 14e93db48a76535d4f4555125c75b998
3287. SHA1: 05f7325e041e17ef58d0f71c0a0d0055087ab534
3288. 604 10376
3289. File
3290. Open
3291.  
3292. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\PCorMac.xml
3293. MD5: 14e93db48a76535d4f4555125c75b998
3294. SHA1: 05f7325e041e17ef58d0f71c0a0d0055087ab534
3295. 604 10376
3296. File
3297. Close
3298.  
3299. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\PCorMac.xml
3300. MD5: 55334f6dfb6a6158621624df2217a811
3301. SHA1: f5906e0291e9d60a2e2170b3e146f4d1727e736a
3302. 604 10384
3303. File
3304. Rename
3305.  
3306. Old Name: C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\PCorMac.xml
3307. New Name: C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\Hfh9x-CSbyN6PMY6UWRb7hBZVray8M+sKd4hBen+vy
3308. w=.7A2F0ADB1B90B147DABB.no_more_ransom
3309. Imagepath: C:\Users\Administrator\AppData\Local\Temp\factura.exe
3310. MD5: 55334f6dfb6a6158621624df2217a811
3311. SHA1: f5906e0291e9d60a2e2170b3e146f4d1727e736a
3312. 604 10384
3313. File
3314. Open
3315.  
3316. C:\ProgramData\System32\xfs
3317. MD5: 52605d341648947ba3d2e3138050a5bc
3318. SHA1: c82d5d8939d862a2c1d417dff074655e83f0f78d
3319. 604 6374
3320. File
3321. Open
3322.  
3323. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\PalmPre.xml
3324. 604 5441
3325. File
3326. Close
3327.  
3328. C:\ProgramData\System32\xfs
3329. MD5: 31371f9d1d0353e7662912edccbb2ab5
3330. SHA1: 16eab066d51c8576938529d7a25ab7c7173a13f0
3331. 604 6558
3332. File
3333. Hide
3334.  
3335. C:\ProgramData\System32\xfs
3336. MD5: 31371f9d1d0353e7662912edccbb2ab5
3337. SHA1: 16eab066d51c8576938529d7a25ab7c7173a13f0
3338. 604 6558
3339. File
3340. Close
3341.  
3342. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\PalmPre.xml
3343. MD5: 05ed9317068f6637695e1a8134f11245
3344. SHA1: 12fd77d03997a9c9d1053b9fa40656320a11d125
3345. 604 5825
3346. File
3347. Open
3348.  
3349. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\PalmPre.xml
3350. MD5: 05ed9317068f6637695e1a8134f11245
3351. SHA1: 12fd77d03997a9c9d1053b9fa40656320a11d125
3352. 604 5825
3353. File
3354. Close
3355.  
3356. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\PalmPre.xml
3357. MD5: 983d060830be5f091c4e6d79f8ec1332
3358. SHA1: f8c74b16cdfccbe5a6091660f53bf54c8c93b2c0
3359. 604 5840
3360. File
3361. Rename
3362.  
3363. Old Name: C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\PalmPre.xml
3364. New Name: C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\4lro6UrnZnAnolbzLAkyFW1ppECWPHwwcDV2O3wYYE
3365. U=.7A2F0ADB1B90B147DABB.no_more_ransom
3366. Imagepath: C:\Users\Administrator\AppData\Local\Temp\factura.exe
3367. MD5: 983d060830be5f091c4e6d79f8ec1332
3368. SHA1: f8c74b16cdfccbe5a6091660f53bf54c8c93b2c0
3369. 604 5840
3370. File
3371. Open
3372.  
3373. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\PalmCentro.xml
3374. 604 2672
3375. File
3376. Open
3377.  
3378. C:\ProgramData\System32\xfs
3379. MD5: 31371f9d1d0353e7662912edccbb2ab5
3380. SHA1: 16eab066d51c8576938529d7a25ab7c7173a13f0
3381. 604 6558
3382. File
3383. Close
3384.  
3385. C:\ProgramData\System32\xfs
3386. MD5: 6fda7aaae38bbe8b64e7f6b6df0d9f0e
3387. SHA1: 11e23cc41846a68218671813adefee86fd73de53
3388. 604 6742
3389. File
3390. Hide
3391.  
3392. C:\ProgramData\System32\xfs
3393. MD5: 6fda7aaae38bbe8b64e7f6b6df0d9f0e
3394. SHA1: 11e23cc41846a68218671813adefee86fd73de53
3395. 604 6742
3396. File
3397. Close
3398.  
3399. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\PalmCentro.xml
3400. MD5: 992326804b1f5642c19dde09dafd6c6a
3401. SHA1: 3f3ca523cc7ed06e9d8b86ee7fe0fcee394ff460
3402. 604 3056
3403. File
3404. Open
3405.  
3406. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\PalmCentro.xml
3407. MD5: 992326804b1f5642c19dde09dafd6c6a
3408. SHA1: 3f3ca523cc7ed06e9d8b86ee7fe0fcee394ff460
3409. 604 3056
3410. File
3411. Close
3412.  
3413. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\PalmCentro.xml
3414. MD5: 71a23bca50f9c9b1468cca933c53ff69
3415. SHA1: f312cf35a0a210a07e303d5b180af363686ec854
3416. 604 3056
3417. File
3418. Rename
3419.  
3420. Old Name: C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\PalmCentro.xml
3421. New Name: C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\ZvqgyWIl0jbUDuzksy+jC178cqCOsqdRf2u2Xosl0d
3422. o=.7A2F0ADB1B90B147DABB.no_more_ransom
3423. Imagepath: C:\Users\Administrator\AppData\Local\Temp\factura.exe
3424. MD5: 71a23bca50f9c9b1468cca933c53ff69
3425. SHA1: f312cf35a0a210a07e303d5b180af363686ec854
3426. 604 3056
3427. File
3428. Open
3429.  
3430. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\Nokian97.xml
3431. 604 6216
3432. File
3433. Open
3434.  
3435. C:\ProgramData\System32\xfs
3436. MD5: 6fda7aaae38bbe8b64e7f6b6df0d9f0e
3437. SHA1: 11e23cc41846a68218671813adefee86fd73de53
3438. 604 6742
3439. File
3440. Close
3441.  
3442. C:\ProgramData\System32\xfs
3443. MD5: 61b66310b775141e5c44def55fa3bd63
3444. SHA1: 92bacef09b0b05f531b6a544b70f0734fbebbada
3445. 604 6932
3446. File
3447. Hide
3448.  
3449. C:\ProgramData\System32\xfs
3450. MD5: 61b66310b775141e5c44def55fa3bd63
3451. SHA1: 92bacef09b0b05f531b6a544b70f0734fbebbada
3452. 604 6932
3453. File
3454. Close
3455.  
3456. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\Nokian97.xml
3457. MD5: 70d583231166467f51569c2ca697cf90
3458. SHA1: 1ec8052ee2f507fb96b14c5cafcb742fd918ffde
3459. 604 6600
3460. File
3461. Open
3462.  
3463. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\Nokian97.xml
3464. MD5: 70d583231166467f51569c2ca697cf90
3465. SHA1: 1ec8052ee2f507fb96b14c5cafcb742fd918ffde
3466. 604 6600
3467. File
3468. Close
3469.  
3470. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\Nokian97.xml
3471. MD5: 80681a7e343adba3a1f4d3b6bb2159a3
3472. SHA1: 42898e7d024b0f07d0655e5b625aaac18893efb3
3473. 604 6608
3474. File
3475. Rename
3476.  
3477. Old Name: C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\Nokian97.xml
3478. New Name: C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\J3NeZOq40KJ8nvVvWQQi7xczlGOlh87oOIDZIiQBN+
3479. A=.7A2F0ADB1B90B147DABB.no_more_ransom
3480. Imagepath: C:\Users\Administrator\AppData\Local\Temp\factura.exe
3481. MD5: 80681a7e343adba3a1f4d3b6bb2159a3
3482. SHA1: 42898e7d024b0f07d0655e5b625aaac18893efb3
3483. 604 6608
3484. File
3485. Open
3486.  
3487. C:\ProgramData\System32\xfs
3488. MD5: 61b66310b775141e5c44def55fa3bd63
3489. SHA1: 92bacef09b0b05f531b6a544b70f0734fbebbada
3490. 604 6932
3491. File
3492. Open
3493.  
3494. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\NokiaN95.xml
3495. 604 5389
3496. File
3497. Close
3498.  
3499. C:\ProgramData\System32\xfs
3500. MD5: 5551c6cc065fccda0537c8a860242366
3501. SHA1: 2575aad811581133d9c0115feb443162b5cebf89
3502. 604 7118
3503. File
3504. Hide
3505.  
3506. C:\ProgramData\System32\xfs
3507. MD5: 5551c6cc065fccda0537c8a860242366
3508. SHA1: 2575aad811581133d9c0115feb443162b5cebf89
3509. 604 7118
3510. File
3511. Close
3512.  
3513. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\NokiaN95.xml
3514. MD5: 3efa2599b89557034df7bbc2ad67334e
3515. SHA1: 383d3cefa1b40503f571f0f74b258b53f3c7f5d8
3516. 604 5773
3517. File
3518. Open
3519.  
3520. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\NokiaN95.xml
3521. MD5: 3efa2599b89557034df7bbc2ad67334e
3522. SHA1: 383d3cefa1b40503f571f0f74b258b53f3c7f5d8
3523. 604 5773
3524. File
3525. Close
3526.  
3527. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\NokiaN95.xml
3528. MD5: 57a03d4dcbbbc3f58f1d3ee1f8cd54d3
3529. SHA1: 3a86aba5a2f5367c3dde4bc5d8e426130796db2e
3530. 604 5776
3531. File
3532. Rename
3533.  
3534. Old Name: C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\NokiaN95.xml
3535. New Name: C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\VQRd7A5-N889jdlL5b-UsjKEivUNG+75wk7ro12yJR
3536. E=.7A2F0ADB1B90B147DABB.no_more_ransom
3537. Imagepath: C:\Users\Administrator\AppData\Local\Temp\factura.exe
3538. MD5: 57a03d4dcbbbc3f58f1d3ee1f8cd54d3
3539. SHA1: 3a86aba5a2f5367c3dde4bc5d8e426130796db2e
3540. 604 5776
3541. File
3542. Open
3543.  
3544. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\NokiaE75.xml
3545. 604 7451
3546. File
3547. Open
3548.  
3549. C:\ProgramData\System32\xfs
3550. MD5: 5551c6cc065fccda0537c8a860242366
3551. SHA1: 2575aad811581133d9c0115feb443162b5cebf89
3552. 604 7118
3553. File
3554. Close
3555.  
3556. C:\ProgramData\System32\xfs
3557. MD5: 0b5d08b76fad8990e73062bd427fb693
3558. SHA1: fab075c476382fd9b3c6b99b781d0a136654b9d5
3559. 604 7304
3560. File
3561. Hide
3562.  
3563. C:\ProgramData\System32\xfs
3564. MD5: 0b5d08b76fad8990e73062bd427fb693
3565. SHA1: fab075c476382fd9b3c6b99b781d0a136654b9d5
3566. 604 7304
3567. File
3568. Close
3569.  
3570. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\NokiaE75.xml
3571. MD5: ee3531a4b09d601575a15c58d57e847d
3572. SHA1: 6f3d39554a4b3c31819229580011af7791b5a23a
3573. 604 7835
3574. File
3575. Open
3576.  
3577. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\NokiaE75.xml
3578. MD5: ee3531a4b09d601575a15c58d57e847d
3579. SHA1: 6f3d39554a4b3c31819229580011af7791b5a23a
3580. 604 7835
3581. File
3582. Close
3583.  
3584. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\NokiaE75.xml
3585. MD5: 63558ee89b3508b372606ab11effaebf
3586. SHA1: be8dc13503d20303e48eb2fb170e09fe5436d41e
3587. 604 7840
3588. File
3589. Rename
3590.  
3591. Old Name: C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\NokiaE75.xml
3592. New Name: C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\vWysMuTWJbzvctFwpl6+zCRi09aOdgrTBJM--4WXeB
3593. g=.7A2F0ADB1B90B147DABB.no_more_ransom
3594. Imagepath: C:\Users\Administrator\AppData\Local\Temp\factura.exe
3595. MD5: 63558ee89b3508b372606ab11effaebf
3596. SHA1: be8dc13503d20303e48eb2fb170e09fe5436d41e
3597. 604 7840
3598. File
3599. Open
3600.  
3601. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\NokiaE71x.xml
3602. 604 7599
3603. File
3604. Open
3605.  
3606. C:\ProgramData\System32\xfs
3607. MD5: 0b5d08b76fad8990e73062bd427fb693
3608. SHA1: fab075c476382fd9b3c6b99b781d0a136654b9d5
3609. 604 7304
3610. File
3611. Close
3612.  
3613. C:\ProgramData\System32\xfs
3614. MD5: fb2602b04538bb74ee0edb7fb82befff
3615. SHA1: 1a21f5a736e68a1fd6c9c27d8c3ecf39899578be
3616. 604 7490
3617. File
3618. Hide
3619.  
3620. C:\ProgramData\System32\xfs
3621. MD5: fb2602b04538bb74ee0edb7fb82befff
3622. SHA1: 1a21f5a736e68a1fd6c9c27d8c3ecf39899578be
3623. 604 7490
3624. File
3625. Close
3626.  
3627. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\NokiaE71x.xml
3628. MD5: cf5956d9173416127b75e7859311fa93
3629. SHA1: 7ddea280e53186cfaa5ebf8282fb89edf3dcf25a
3630. 604 7983
3631. File
3632. Open
3633.  
3634. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\NokiaE71x.xml
3635. MD5: cf5956d9173416127b75e7859311fa93
3636. SHA1: 7ddea280e53186cfaa5ebf8282fb89edf3dcf25a
3637. 604 7983
3638. File
3639. Close
3640.  
3641. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\NokiaE71x.xml
3642. MD5: df00bbb3b1705409a6d8e40b4315f50a
3643. SHA1: d532c8f623db5e9bd4d10644958c9f214ad6e0ff
3644. 604 7984
3645. File
3646. Rename
3647.  
3648. Old Name: C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\NokiaE71x.xml
3649. New Name: C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\6OGLSO+0aLf9EnQBb4D-bz7VDRX18DOVoKrxRJt13q
3650. 4=.7A2F0ADB1B90B147DABB.no_more_ransom
3651. Imagepath: C:\Users\Administrator\AppData\Local\Temp\factura.exe
3652. MD5: df00bbb3b1705409a6d8e40b4315f50a
3653. SHA1: d532c8f623db5e9bd4d10644958c9f214ad6e0ff
3654. 604 7984
3655. File
3656. Open
3657.  
3658. C:\ProgramData\System32\xfs
3659. MD5: fb2602b04538bb74ee0edb7fb82befff
3660. SHA1: 1a21f5a736e68a1fd6c9c27d8c3ecf39899578be
3661. 604 7490
3662. File
3663. Open
3664.  
3665. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\Nokia5800XpressMusic.xml
3666. 604 8189
3667. File
3668. Close
3669.  
3670. C:\ProgramData\System32\xfs
3671. MD5: 21fddc5464b0295dfa63b2dfa4d77e08
3672. SHA1: 47ed35901f0c34ab1b77de9500c7fb17b20159d3
3673. 604 7678
3674. File
3675. Hide
3676.  
3677. C:\ProgramData\System32\xfs
3678. MD5: 21fddc5464b0295dfa63b2dfa4d77e08
3679. SHA1: 47ed35901f0c34ab1b77de9500c7fb17b20159d3
3680. 604 7678
3681. File
3682. Close
3683.  
3684. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\Nokia5800XpressMusic.xml
3685. MD5: 4c1b35fb30da2f2ccf631c03159609e5
3686. SHA1: 091318cf8b671ee293a7f7e57af2222e7c0d6435
3687. 604 8573
3688. File
3689. Open
3690.  
3691. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\Nokia5800XpressMusic.xml
3692. MD5: 4c1b35fb30da2f2ccf631c03159609e5
3693. SHA1: 091318cf8b671ee293a7f7e57af2222e7c0d6435
3694. 604 8573
3695. File
3696. Close
3697.  
3698. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\Nokia5800XpressMusic.xml
3699. MD5: 03758ad4f7ae03bab6f7a58264806d45
3700. SHA1: 2cda2168df20b9ade0defbd25997b0a0b5cc260c
3701. 604 8576
3702. File
3703. Rename
3704.  
3705. Old Name: C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\Nokia5800XpressMusic.xml
3706. New Name: C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\SCFUImbeQrm+a5tgEqrF99mfDvYTOEjO5F4WcFT99h
3707. y2z2a560QCkD4Lsc+-Binn.7A2F0ADB1B90B147DABB.no_more_ransom
3708. Imagepath: C:\Users\Administrator\AppData\Local\Temp\factura.exe
3709. MD5: 03758ad4f7ae03bab6f7a58264806d45
3710. SHA1: 2cda2168df20b9ade0defbd25997b0a0b5cc260c
3711. 604 8576
3712. File
3713. Open
3714.  
3715. C:\ProgramData\System32\xfs
3716. MD5: 21fddc5464b0295dfa63b2dfa4d77e08
3717. SHA1: 47ed35901f0c34ab1b77de9500c7fb17b20159d3
3718. 604 7678
3719. File
3720. Close
3721.  
3722. C:\ProgramData\System32\xfs
3723. MD5: c5cd55f5e0bf6586e2c2251ed0cf5a66
3724. SHA1: aa5e5e0146efb4388a922bf81c11b419b7d898c3
3725. 604 7888
3726. File
3727. Hide
3728.  
3729. C:\ProgramData\System32\xfs
3730. MD5: c5cd55f5e0bf6586e2c2251ed0cf5a66
3731. SHA1: aa5e5e0146efb4388a922bf81c11b419b7d898c3
3732. 604 7888
3733. File
3734. Open
3735.  
3736. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\MP3Player.xml
3737. 604 1506
3738. File
3739. Close
3740.  
3741. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\MP3Player.xml
3742. MD5: dd02db100c5cbcd05e0c8f79deeb7ab6
3743. SHA1: 5dd1d1d52b96ba1a540c7d1fdcfd566116fddd21
3744. 604 1890
3745. File
3746. Open
3747.  
3748. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\MP3Player.xml
3749. MD5: dd02db100c5cbcd05e0c8f79deeb7ab6
3750. SHA1: 5dd1d1d52b96ba1a540c7d1fdcfd566116fddd21
3751. 604 1890
3752. File
3753. Close
3754.  
3755. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\MP3Player.xml
3756. MD5: 96892e8263a4b83463c220fe258d9970
3757. SHA1: 10f3f7055b112d35df88c6a42656a3d1dd0b60a7
3758. 604 1904
3759. File
3760. Rename
3761.  
3762. Old Name: C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\MP3Player.xml
3763. New Name: C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\WOJO7bg0rG+2Jo-WKilSxJu1ixDOmczYcC1F+FfTmn
3764. c=.7A2F0ADB1B90B147DABB.no_more_ransom
3765. Imagepath: C:\Users\Administrator\AppData\Local\Temp\factura.exe
3766. MD5: 96892e8263a4b83463c220fe258d9970
3767. SHA1: 10f3f7055b112d35df88c6a42656a3d1dd0b60a7
3768. 604 1904
3769. File
3770. Open
3771.  
3772. C:\ProgramData\System32\xfs
3773. MD5: c5cd55f5e0bf6586e2c2251ed0cf5a66
3774. SHA1: aa5e5e0146efb4388a922bf81c11b419b7d898c3
3775. 604 7888
3776. File
3777. Open
3778.  
3779. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\MotorolaDroid.xml
3780. 604 7496
3781. File
3782. Close
3783.  
3784. C:\ProgramData\System32\xfs
3785. MD5: 697e93e5eaeaa57e2a63c520a9793547
3786. SHA1: 55093fadc2f474dfb2bb2c01ccd58d38d9eeeb98
3787. 604 8076
3788. File
3789. Hide
3790.  
3791. C:\ProgramData\System32\xfs
3792. MD5: 697e93e5eaeaa57e2a63c520a9793547
3793. SHA1: 55093fadc2f474dfb2bb2c01ccd58d38d9eeeb98
3794. 604 8076
3795. File
3796. Close
3797.  
3798. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\MotorolaDroid.xml
3799. MD5: 7ec43407a43f6ece0f8441c51d06c0bb
3800. SHA1: c590787ce7dd0ab9a4c922e89768ed3c3f6ae4b9
3801. 604 7880
3802. File
3803. Open
3804.  
3805. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\MotorolaDroid.xml
3806. MD5: 7ec43407a43f6ece0f8441c51d06c0bb
3807. SHA1: c590787ce7dd0ab9a4c922e89768ed3c3f6ae4b9
3808. 604 7880
3809. File
3810. Close
3811.  
3812. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\MotorolaDroid.xml
3813. MD5: 3eb8c3db15394c3cdbe955455724eddd
3814. SHA1: cc3f522032664a8b7f3e4ff6558806c551ff918c
3815. 604 7888
3816. File
3817. Rename
3818.  
3819. Old Name: C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\MotorolaDroid.xml
3820. New Name: C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\JF4ZghmFRm5bgQhs5qv4jBYsHN8ONp55kSxrcUlPFg
3821. 210-Q-ZWMKpRP+8K4q-U54.7A2F0ADB1B90B147DABB.no_more_ransom
3822. Imagepath: C:\Users\Administrator\AppData\Local\Temp\factura.exe
3823. MD5: 3eb8c3db15394c3cdbe955455724eddd
3824. SHA1: cc3f522032664a8b7f3e4ff6558806c551ff918c
3825. 604 7888
3826. File
3827. Open
3828.  
3829. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\MotorolaCliq.xml
3830. 604 6183
3831. File
3832. Open
3833.  
3834. C:\ProgramData\System32\xfs
3835. MD5: 697e93e5eaeaa57e2a63c520a9793547
3836. SHA1: 55093fadc2f474dfb2bb2c01ccd58d38d9eeeb98
3837. 604 8076
3838. File
3839. Close
3840.  
3841. C:\ProgramData\System32\xfs
3842. MD5: 10a6bd4631820dc149fc442007dbbfc5
3843. SHA1: aa7c4579f1ca52ba0750c16cb7fb9013bfa20dfb
3844. 604 8272
3845. File
3846. Hide
3847.  
3848. C:\ProgramData\System32\xfs
3849. MD5: 10a6bd4631820dc149fc442007dbbfc5
3850. SHA1: aa7c4579f1ca52ba0750c16cb7fb9013bfa20dfb
3851. 604 8272
3852. File
3853. Close
3854.  
3855. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\MotorolaCliq.xml
3856. MD5: e56804a04b35ff509717af7f75eebe33
3857. SHA1: e1fde1b10744bd2b3896233eda33288d879e8128
3858. 604 6567
3859. File
3860. Open
3861.  
3862. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\MotorolaCliq.xml
3863. MD5: e56804a04b35ff509717af7f75eebe33
3864. SHA1: e1fde1b10744bd2b3896233eda33288d879e8128
3865. 604 6567
3866. File
3867. Close
3868.  
3869. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\MotorolaCliq.xml
3870. MD5: 93d216fe0ffa0ef57d1c3b7eab1325ae
3871. SHA1: 94dd761e6867496c7f7d0d77bb4db6fbee062336
3872. 604 6576
3873. File
3874. Rename
3875.  
3876. Old Name: C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\MotorolaCliq.xml
3877. New Name: C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\-OUJMJbiqB1OlpA5vP+HG2UuAyVqp6+bjKfa2tx3-q
3878. I=.7A2F0ADB1B90B147DABB.no_more_ransom
3879. Imagepath: C:\Users\Administrator\AppData\Local\Temp\factura.exe
3880. MD5: 93d216fe0ffa0ef57d1c3b7eab1325ae
3881. SHA1: 94dd761e6867496c7f7d0d77bb4db6fbee062336
3882. 604 6576
3883. File
3884. Open
3885.  
3886. C:\ProgramData\System32\xfs
3887. MD5: 10a6bd4631820dc149fc442007dbbfc5
3888. SHA1: aa7c4579f1ca52ba0750c16cb7fb9013bfa20dfb
3889. 604 8272
3890. File
3891. Close
3892.  
3893. C:\ProgramData\System32\xfs
3894. MD5: c0e1a339edd36fc67cd43d6a086b6534
3895. SHA1: 84aca458ae2189ed3cd71fe9ab0f109cc990dbfc
3896. 604 8466
3897. File
3898. Hide
3899.  
3900. C:\ProgramData\System32\xfs
3901. MD5: c0e1a339edd36fc67cd43d6a086b6534
3902. SHA1: 84aca458ae2189ed3cd71fe9ab0f109cc990dbfc
3903. 604 8466
3904. File
3905. Open
3906.  
3907. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\MotorolaBackflip.xml
3908. 604 5800
3909. File
3910. Close
3911.  
3912. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\MotorolaBackflip.xml
3913. MD5: f01d6ebe9626aa9963df89d1e13af284
3914. SHA1: 57bc62dee26d11c6855b0bb273077ea7af122b86
3915. 604 6184
3916. File
3917. Open
3918.  
3919. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\MotorolaBackflip.xml
3920. MD5: f01d6ebe9626aa9963df89d1e13af284
3921. SHA1: 57bc62dee26d11c6855b0bb273077ea7af122b86
3922. 604 6184
3923. File
3924. Close
3925.  
3926. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\MotorolaBackflip.xml
3927. MD5: 8fcdc7a38dd19344caefebd702ebd6c9
3928. SHA1: d2ec0685b3370c6cf4b2c7aaa5960d2c51a47555
3929. 604 6192
3930. File
3931. Rename
3932.  
3933. Old Name: C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\MotorolaBackflip.xml
3934. New Name: C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\sXqt18Ul5tHMofWOcldXtkL8QXT+S0PEFQ4NhjRuI-
3935. nWH5Wz4mgBUcv5B2F4iFm9.7A2F0ADB1B90B147DABB.no_more_ransom
3936. Imagepath: C:\Users\Administrator\AppData\Local\Temp\factura.exe
3937. MD5: 8fcdc7a38dd19344caefebd702ebd6c9
3938. SHA1: d2ec0685b3370c6cf4b2c7aaa5960d2c51a47555
3939. 604 6192
3940. File
3941. Open
3942.  
3943. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\Motorola.xml
3944. 604 5951
3945. File
3946. Open
3947.  
3948. C:\ProgramData\System32\xfs
3949. MD5: c0e1a339edd36fc67cd43d6a086b6534
3950. SHA1: 84aca458ae2189ed3cd71fe9ab0f109cc990dbfc
3951. 604 8466
3952. File
3953. Close
3954.  
3955. C:\ProgramData\System32\xfs
3956. MD5: 3dc1a077836de0c70907d4a89c44ce01
3957. SHA1: c047af193c183163b991d485615e6f717a172448
3958. 604 8668
3959. File
3960. Hide
3961.  
3962. C:\ProgramData\System32\xfs
3963. MD5: 3dc1a077836de0c70907d4a89c44ce01
3964. SHA1: c047af193c183163b991d485615e6f717a172448
3965. 604 8668
3966. File
3967. Close
3968.  
3969. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\Motorola.xml
3970. MD5: ffcd80631c51cc6b489c238ef7761d1d
3971. SHA1: 4142df7c05522953e2a1df961f97628034fab8e3
3972. 604 6335
3973. File
3974. Open
3975.  
3976. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\Motorola.xml
3977. MD5: ffcd80631c51cc6b489c238ef7761d1d
3978. SHA1: 4142df7c05522953e2a1df961f97628034fab8e3
3979. 604 6335
3980. File
3981. Close
3982.  
3983. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\Motorola.xml
3984. MD5: d67107ac114a8c4e9f9240b06448c9ce
3985. SHA1: 4cf276cc1d71e9329c39d086aaaffb38d9d2e4bc
3986. 604 6336
3987. File
3988. Rename
3989.  
3990. Old Name: C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\Motorola.xml
3991. New Name: C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\W3MxEkwumT6qf1PQYY7e804NK3+okMp7aOEy2172Mp
3992. 4=.7A2F0ADB1B90B147DABB.no_more_ransom
3993. Imagepath: C:\Users\Administrator\AppData\Local\Temp\factura.exe
3994. MD5: d67107ac114a8c4e9f9240b06448c9ce
3995. SHA1: 4cf276cc1d71e9329c39d086aaaffb38d9d2e4bc
3996. 604 6336
3997. File
3998. Open
3999.  
4000. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\LG.xml
4001. 604 6249
4002. File
4003. Open
4004.  
4005. C:\ProgramData\System32\xfs
4006. MD5: 3dc1a077836de0c70907d4a89c44ce01
4007. SHA1: c047af193c183163b991d485615e6f717a172448
4008. 604 8668
4009. File
4010. Close
4011.  
4012. C:\ProgramData\System32\xfs
4013. MD5: 981003f2d780d7d6208709a805bd33e0
4014. SHA1: b900d15729abca028fe4fd88c6d4b3151dac9370
4015. 604 8854
4016. File
4017. Hide
4018.  
4019. C:\ProgramData\System32\xfs
4020. MD5: 981003f2d780d7d6208709a805bd33e0
4021. SHA1: b900d15729abca028fe4fd88c6d4b3151dac9370
4022. 604 8854
4023. File
4024. Close
4025.  
4026. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\LG.xml
4027. MD5: a5b6b5270ff62d9a1f45bfebd4e22a81
4028. SHA1: 1efd65a0a28bb0da73960b423fb03c6950005598
4029. 604 6633
4030. File
4031. Open
4032.  
4033. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\LG.xml
4034. MD5: a5b6b5270ff62d9a1f45bfebd4e22a81
4035. SHA1: 1efd65a0a28bb0da73960b423fb03c6950005598
4036. 604 6633
4037. File
4038. Close
4039.  
4040. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\LG.xml
4041. MD5: 60a4027f7cfe86e41eb3170eaf6df55e
4042. SHA1: 4fc33bc6fce98cfc7b4e25e0b82436a94cfa2f8d
4043. 604 6640
4044. File
4045. Rename
4046.  
4047. Old Name: C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\LG.xml
4048. New Name: C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\RGr8JRRhObk5OJvjVTJRsg==.7A2F0ADB1B90B147D
4049. ABB.no_more_ransom
4050. Imagepath: C:\Users\Administrator\AppData\Local\Temp\factura.exe
4051. MD5: 60a4027f7cfe86e41eb3170eaf6df55e
4052. SHA1: 4fc33bc6fce98cfc7b4e25e0b82436a94cfa2f8d
4053. 604 6640
4054. File
4055. Open
4056.  
4057. C:\ProgramData\System32\xfs
4058. MD5: 981003f2d780d7d6208709a805bd33e0
4059. SHA1: b900d15729abca028fe4fd88c6d4b3151dac9370
4060. 604 8854
4061. File
4062. Open
4063.  
4064. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\iTunes.xml
4065. 604 4509
4066. File
4067. Close
4068.  
4069. C:\ProgramData\System32\xfs
4070. MD5: 8f53d63be4b3e81743836fd4d30546ad
4071. SHA1: a645e7d47e7ecdc5132e994a77546508f5c2f838
4072. 604 9028
4073. File
4074. Hide
4075.  
4076. C:\ProgramData\System32\xfs
4077. MD5: 8f53d63be4b3e81743836fd4d30546ad
4078. SHA1: a645e7d47e7ecdc5132e994a77546508f5c2f838
4079. 604 9028
4080. File
4081. Close
4082.  
4083. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\iTunes.xml
4084. MD5: 0074d823e62804fe91888b080e0e1160
4085. SHA1: 23cade50f29d61a3e1cba20959b906f10e6ede73
4086. 604 4893
4087. File
4088. Open
4089.  
4090. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\iTunes.xml
4091. MD5: 0074d823e62804fe91888b080e0e1160
4092. SHA1: 23cade50f29d61a3e1cba20959b906f10e6ede73
4093. 604 4893
4094. File
4095. Close
4096.  
4097. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\iTunes.xml
4098. MD5: 56c5041dd4d279f53897c0c04aaa9814
4099. SHA1: e83b9393ac9288d3129812c84f7a0098c436377f
4100. 604 4896
4101. File
4102. Rename
4103.  
4104. Old Name: C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\iTunes.xml
4105. New Name: C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\lJqDbyi7QRnMH3ERqljrJwlmUnPhzk7ocQbHB2qjTb
4106. 0=.7A2F0ADB1B90B147DABB.no_more_ransom
4107. Imagepath: C:\Users\Administrator\AppData\Local\Temp\factura.exe
4108. MD5: 56c5041dd4d279f53897c0c04aaa9814
4109. SHA1: e83b9393ac9288d3129812c84f7a0098c436377f
4110. 604 4896
4111. File
4112. Open
4113.  
4114. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\iPod.xml
4115. 604 4608
4116. File
4117. Open
4118.  
4119. C:\ProgramData\System32\xfs
4120. MD5: 8f53d63be4b3e81743836fd4d30546ad
4121. SHA1: a645e7d47e7ecdc5132e994a77546508f5c2f838
4122. 604 9028
4123. File
4124. Close
4125.  
4126. C:\ProgramData\System32\xfs
4127. MD5: a13828ac34fe0323b30a0eee1d51d518
4128. SHA1: e78e1a943bbb629d5671f413168a987e004622a3
4129. 604 9210
4130. File
4131. Hide
4132.  
4133. C:\ProgramData\System32\xfs
4134. MD5: a13828ac34fe0323b30a0eee1d51d518
4135. SHA1: e78e1a943bbb629d5671f413168a987e004622a3
4136. 604 9210
4137. File
4138. Close
4139.  
4140. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\iPod.xml
4141. MD5: deaac5a83902073a874a0036e8d97c25
4142. SHA1: 2d034360d6e3a55bf2a0fe52e15b7fef2bbb9740
4143. 604 4992
4144. File
4145. Open
4146.  
4147. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\iPod.xml
4148. MD5: deaac5a83902073a874a0036e8d97c25
4149. SHA1: 2d034360d6e3a55bf2a0fe52e15b7fef2bbb9740
4150. 604 4992
4151. File
4152. Close
4153.  
4154. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\iPod.xml
4155. MD5: 9a23dcb320791fca36ece081a5e5c41e
4156. SHA1: 602f70a0fcd2ce4e3714cfc3018ff348875a0dd3
4157. 604 4992
4158. File
4159. Rename
4160.  
4161. Old Name: C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\iPod.xml
4162. New Name: C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\K4BaNvbw9uapwphCowjUHQ==.7A2F0ADB1B90B147D
4163. ABB.no_more_ransom
4164. Imagepath: C:\Users\Administrator\AppData\Local\Temp\factura.exe
4165. MD5: 9a23dcb320791fca36ece081a5e5c41e
4166. SHA1: 602f70a0fcd2ce4e3714cfc3018ff348875a0dd3
4167. 604 4992
4168. File
4169. Open
4170.  
4171. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\iPhone5.xml
4172. 604 4653
4173. File
4174. Open
4175.  
4176. C:\ProgramData\System32\xfs
4177. MD5: a13828ac34fe0323b30a0eee1d51d518
4178. SHA1: e78e1a943bbb629d5671f413168a987e004622a3
4179. 604 9210
4180. File
4181. Close
4182.  
4183. C:\ProgramData\System32\xfs
4184. MD5: cf6a9bcaa4cc789e3f7c98ec750fbf59
4185. SHA1: 05f2c37eaee472727e5dd1de6a61cb16ab05bd6b
4186. 604 9388
4187. File
4188. Hide
4189.  
4190. C:\ProgramData\System32\xfs
4191. MD5: cf6a9bcaa4cc789e3f7c98ec750fbf59
4192. SHA1: 05f2c37eaee472727e5dd1de6a61cb16ab05bd6b
4193. 604 9388
4194. File
4195. Close
4196.  
4197. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\iPhone5.xml
4198. MD5: 68564e9e065bd0e666cd99d6df9b5eff
4199. SHA1: 7dc8dad6098b23f97d0509bee156366327fc810c
4200. 604 5037
4201. File
4202. Open
4203.  
4204. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\iPhone5.xml
4205. MD5: 68564e9e065bd0e666cd99d6df9b5eff
4206. SHA1: 7dc8dad6098b23f97d0509bee156366327fc810c
4207. 604 5037
4208. File
4209. Close
4210.  
4211. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\iPhone5.xml
4212. MD5: 4a38510f581e03ebacde3fb221fadf80
4213. SHA1: ce96b572493bb2faaa26cd6a459f983fd10cd9ca
4214. 604 5040
4215. File
4216. Rename
4217.  
4218. Old Name: C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\iPhone5.xml
4219. New Name: C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\qJBrPEVU4M5QpFREI84TRe+SaY5ImjATVXb9rMlqHz
4220. I=.7A2F0ADB1B90B147DABB.no_more_ransom
4221. Imagepath: C:\Users\Administrator\AppData\Local\Temp\factura.exe
4222. MD5: 4a38510f581e03ebacde3fb221fadf80
4223. SHA1: ce96b572493bb2faaa26cd6a459f983fd10cd9ca
4224. 604 5040
4225. File
4226. Open
4227.  
4228. C:\ProgramData\System32\xfs
4229. MD5: cf6a9bcaa4cc789e3f7c98ec750fbf59
4230. SHA1: 05f2c37eaee472727e5dd1de6a61cb16ab05bd6b
4231. 604 9388
4232. File
4233. Close
4234.  
4235. C:\ProgramData\System32\xfs
4236. MD5: ecc212d1b7586b1bd4276c9dd46bbf41
4237. SHA1: 9eec229cef45fe795dc3d3a471719b86883644d1
4238. 604 9572
4239. File
4240. Hide
4241.  
4242. C:\ProgramData\System32\xfs
4243. MD5: ecc212d1b7586b1bd4276c9dd46bbf41
4244. SHA1: 9eec229cef45fe795dc3d3a471719b86883644d1
4245. 604 9572
4246. File
4247. Open
4248.  
4249. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\iPhone4.xml
4250. 604 4514
4251. File
4252. Close
4253.  
4254. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\iPhone4.xml
4255. MD5: efb15a30cf8de043fb41fe220b27d221
4256. SHA1: 101e8384bd56c9771f9bc954c55bf37d5912dc9f
4257. 604 4898
4258. File
4259. Open
4260.  
4261. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\iPhone4.xml
4262. MD5: efb15a30cf8de043fb41fe220b27d221
4263. SHA1: 101e8384bd56c9771f9bc954c55bf37d5912dc9f
4264. 604 4898
4265. File
4266. Close
4267.  
4268. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\iPhone4.xml
4269. MD5: b7db7c3657fbe4551d12267bb825f397
4270. SHA1: cdc4e49fe1158f1ee02a14a3aba96655a80ed4f0
4271. 604 4912
4272. File
4273. Rename
4274.  
4275. Old Name: C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\iPhone4.xml
4276. New Name: C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\Cy4rvq3gw9dg7Lrfkc+iquzkGHMx-E8c2l1F5wTtjt
4277. M=.7A2F0ADB1B90B147DABB.no_more_ransom
4278. Imagepath: C:\Users\Administrator\AppData\Local\Temp\factura.exe
4279. MD5: b7db7c3657fbe4551d12267bb825f397
4280. SHA1: cdc4e49fe1158f1ee02a14a3aba96655a80ed4f0
4281. 604 4912
4282. File
4283. Open
4284.  
4285. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\iPhone.xml
4286. 604 4575
4287. File
4288. Open
4289.  
4290. C:\ProgramData\System32\xfs
4291. MD5: ecc212d1b7586b1bd4276c9dd46bbf41
4292. SHA1: 9eec229cef45fe795dc3d3a471719b86883644d1
4293. 604 9572
4294. File
4295. Close
4296.  
4297. C:\ProgramData\System32\xfs
4298. MD5: c540281564da97f35f7c809330b77591
4299. SHA1: 38ae85b39549d6c1c83d5da0867b07a582dc8b86
4300. 604 9756
4301. File
4302. Hide
4303.  
4304. C:\ProgramData\System32\xfs
4305. MD5: c540281564da97f35f7c809330b77591
4306. SHA1: 38ae85b39549d6c1c83d5da0867b07a582dc8b86
4307. 604 9756
4308. File
4309. Close
4310.  
4311. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\iPhone.xml
4312. MD5: 293d60e2959e5ac47e355c54a1e69dfc
4313. SHA1: a61c6fc10d816268ee71935fce3ea57fcf82e87e
4314. 604 4959
4315. File
4316. Open
4317.  
4318. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\iPhone.xml
4319. MD5: 293d60e2959e5ac47e355c54a1e69dfc
4320. SHA1: a61c6fc10d816268ee71935fce3ea57fcf82e87e
4321. 604 4959
4322. File
4323. Close
4324.  
4325. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\iPhone.xml
4326. MD5: 3d690554e544230bd3f1e77a919fbef3
4327. SHA1: 38fc0d2faf7bc4751852ace53ecfc32ab19b5255
4328. 604 4960
4329. File
4330. Rename
4331.  
4332. Old Name: C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\iPhone.xml
4333. New Name: C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\0oYa02CPiUSrtVBSPCvREhelsmq7i57tqEsTr4sJIy
4334. U=.7A2F0ADB1B90B147DABB.no_more_ransom
4335. Imagepath: C:\Users\Administrator\AppData\Local\Temp\factura.exe
4336. MD5: 3d690554e544230bd3f1e77a919fbef3
4337. SHA1: 38fc0d2faf7bc4751852ace53ecfc32ab19b5255
4338. 604 4960
4339. File
4340. Open
4341.  
4342. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\iPad3.xml
4343. 604 4733
4344. File
4345. Open
4346.  
4347. C:\ProgramData\System32\xfs
4348. MD5: c540281564da97f35f7c809330b77591
4349. SHA1: 38ae85b39549d6c1c83d5da0867b07a582dc8b86
4350. 604 9756
4351. File
4352. Close
4353.  
4354. C:\ProgramData\System32\xfs
4355. MD5: 1afe614f2f9ddf2d8448e60b26037079
4356. SHA1: aeffc6c11dd6c3ea0f5f0b4afbd0b77f917662e0
4357. 604 9938
4358. File
4359. Hide
4360.  
4361. C:\ProgramData\System32\xfs
4362. MD5: 1afe614f2f9ddf2d8448e60b26037079
4363. SHA1: aeffc6c11dd6c3ea0f5f0b4afbd0b77f917662e0
4364. 604 9938
4365. File
4366. Close
4367.  
4368. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\iPad3.xml
4369. MD5: aa45160f55a9b62428513787d7132a73
4370. SHA1: 40677af43d2930c9369f951c6f31ebfda865f7df
4371. 604 5117
4372. File
4373. Open
4374.  
4375. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\iPad3.xml
4376. MD5: aa45160f55a9b62428513787d7132a73
4377. SHA1: 40677af43d2930c9369f951c6f31ebfda865f7df
4378. 604 5117
4379. File
4380. Close
4381.  
4382. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\iPad3.xml
4383. MD5: bdb358b129dd290e98cdaf2ee09d3509
4384. SHA1: f669cd7186228dcc1f3d15b5ced26539e46c36d2
4385. 604 5120
4386. File
4387. Rename
4388.  
4389. Old Name: C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\iPad3.xml
4390. New Name: C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\rNr1WjfoAr5HKfhss6GHM1UyR9PXWoM6SPnQrTBkNK
4391. o=.7A2F0ADB1B90B147DABB.no_more_ransom
4392. Imagepath: C:\Users\Administrator\AppData\Local\Temp\factura.exe
4393. MD5: bdb358b129dd290e98cdaf2ee09d3509
4394. SHA1: f669cd7186228dcc1f3d15b5ced26539e46c36d2
4395. 604 5120
4396. File
4397. Open
4398.  
4399. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\iPad.xml
4400. 604 4470
4401. File
4402. Open
4403.  
4404. C:\ProgramData\System32\xfs
4405. MD5: 1afe614f2f9ddf2d8448e60b26037079
4406. SHA1: aeffc6c11dd6c3ea0f5f0b4afbd0b77f917662e0
4407. 604 9938
4408. File
4409. Close
4410.  
4411. C:\ProgramData\System32\xfs
4412. MD5: 422411d2000f9bf8bebeac1d07ec5b93
4413. SHA1: a9a93e98deb1df9797e03052bf0544b4470a0b37
4414. 604 10118
4415. File
4416. Hide
4417.  
4418. C:\ProgramData\System32\xfs
4419. MD5: 422411d2000f9bf8bebeac1d07ec5b93
4420. SHA1: a9a93e98deb1df9797e03052bf0544b4470a0b37
4421. 604 10118
4422. File
4423. Close
4424.  
4425. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\iPad.xml
4426. MD5: 975a4d160191d874401ba7676e44841a
4427. SHA1: 0e3a1331f24972b73349c4d1881f8522c83557b3
4428. 604 4854
4429. File
4430. Open
4431.  
4432. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\iPad.xml
4433. MD5: 975a4d160191d874401ba7676e44841a
4434. SHA1: 0e3a1331f24972b73349c4d1881f8522c83557b3
4435. 604 4854
4436. File
4437. Close
4438.  
4439. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\iPad.xml
4440. MD5: d6ca7d0fbce3ec5fbe09792bca8f8bac
4441. SHA1: a39956fda6d5e1500bc4174e6359e9a482c0b3cb
4442. 604 4864
4443. File
4444. Rename
4445.  
4446. Old Name: C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\iPad.xml
4447. New Name: C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\D4Cq9GlHFuf36r4EEvC2kA==.7A2F0ADB1B90B147D
4448. ABB.no_more_ransom
4449. Imagepath: C:\Users\Administrator\AppData\Local\Temp\factura.exe
4450. MD5: d6ca7d0fbce3ec5fbe09792bca8f8bac
4451. SHA1: a39956fda6d5e1500bc4174e6359e9a482c0b3cb
4452. 604 4864
4453. File
4454. Open
4455.  
4456. C:\ProgramData\System32\xfs
4457. MD5: 422411d2000f9bf8bebeac1d07ec5b93
4458. SHA1: a9a93e98deb1df9797e03052bf0544b4470a0b37
4459. 604 10118
4460. File
4461. Close
4462.  
4463. C:\ProgramData\System32\xfs
4464. MD5: a94296ba41dfa95c97c58e5b2db01d89
4465. SHA1: f7346a85135d84b8fc5c89ba64751a842946f49c
4466. 604 10296
4467. File
4468. Hide
4469.  
4470. C:\ProgramData\System32\xfs
4471. MD5: a94296ba41dfa95c97c58e5b2db01d89
4472. SHA1: f7346a85135d84b8fc5c89ba64751a842946f49c
4473. 604 10296
4474. File
4475. Open
4476.  
4477. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\HTCTouchDiamond.xml
4478. 604 7209
4479. File
4480. Close
4481.  
4482. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\HTCTouchDiamond.xml
4483. MD5: 45c8981b9721a77e5f6422afd0e1b621
4484. SHA1: bec73c31aa723f736a0f7993860f7308b5db16f7
4485. 604 7593
4486. File
4487. Open
4488.  
4489. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\HTCTouchDiamond.xml
4490. MD5: 45c8981b9721a77e5f6422afd0e1b621
4491. SHA1: bec73c31aa723f736a0f7993860f7308b5db16f7
4492. 604 7593
4493. File
4494. Close
4495.  
4496. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\HTCTouchDiamond.xml
4497. MD5: ab4dd29c5657a34c219c2df554652d5c
4498. SHA1: ec0622e436047fbb24a22acc368cf248767e8f86
4499. 604 7600
4500. File
4501. Rename
4502.  
4503. Old Name: C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\HTCTouchDiamond.xml
4504. New Name: C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\1jXfXWMb8PDGy5xLM61+wxuKf1exQzSmJgwvk5uzQp
4505. NcTteCUr6++ZhPzmm9eoWY.7A2F0ADB1B90B147DABB.no_more_ransom
4506. Imagepath: C:\Users\Administrator\AppData\Local\Temp\factura.exe
4507. MD5: ab4dd29c5657a34c219c2df554652d5c
4508. SHA1: ec0622e436047fbb24a22acc368cf248767e8f86
4509. 604 7600
4510. File
4511. Open
4512.  
4513. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\HTCHero.xml
4514. 604 7287
4515. File
4516. Open
4517.  
4518. C:\ProgramData\System32\xfs
4519. MD5: a94296ba41dfa95c97c58e5b2db01d89
4520. SHA1: f7346a85135d84b8fc5c89ba64751a842946f49c
4521. 604 10296
4522. File
4523. Close
4524.  
4525. C:\ProgramData\System32\xfs
4526. MD5: b57ba3d7a172383697c4d494750da2c3
4527. SHA1: 3c29b7f2e748acf40b5a1eef7e5ed4ba4f356a06
4528. 604 10496
4529. File
4530. Hide
4531.  
4532. C:\ProgramData\System32\xfs
4533. MD5: b57ba3d7a172383697c4d494750da2c3
4534. SHA1: 3c29b7f2e748acf40b5a1eef7e5ed4ba4f356a06
4535. 604 10496
4536. File
4537. Close
4538.  
4539. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\HTCHero.xml
4540. MD5: 2ac0943a53d6f0edb396d33f1fd0f848
4541. SHA1: 366577deda14b00b9c35ff9b9d4fcfc95783b816
4542. 604 7671
4543. File
4544. Open
4545.  
4546. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\HTCHero.xml
4547. MD5: 2ac0943a53d6f0edb396d33f1fd0f848
4548. SHA1: 366577deda14b00b9c35ff9b9d4fcfc95783b816
4549. 604 7671
4550. File
4551. Close
4552.  
4553. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\HTCHero.xml
4554. MD5: ade598ff9bbbb137d980bfcd614613d1
4555. SHA1: 6f7656e076aae0248b6558ebb95dddc67e5cfc3e
4556. 604 7680
4557. File
4558. Rename
4559.  
4560. Old Name: C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\HTCHero.xml
4561. New Name: C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\YEVe3rMyxpYkuCfaf0MaBoy8QDO9GsezI+7Oj0ClYx
4562. 4=.7A2F0ADB1B90B147DABB.no_more_ransom
4563. Imagepath: C:\Users\Administrator\AppData\Local\Temp\factura.exe
4564. MD5: ade598ff9bbbb137d980bfcd614613d1
4565. SHA1: 6f7656e076aae0248b6558ebb95dddc67e5cfc3e
4566. 604 7680
4567. File
4568. Open
4569.  
4570. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\HTCEvo.xml
4571. 604 7306
4572. File
4573. Open
4574.  
4575. C:\ProgramData\System32\xfs
4576. MD5: b57ba3d7a172383697c4d494750da2c3
4577. SHA1: 3c29b7f2e748acf40b5a1eef7e5ed4ba4f356a06
4578. 604 10496
4579. File
4580. Close
4581.  
4582. C:\ProgramData\System32\xfs
4583. MD5: d7f45b81966f4677f967df09d776cbde
4584. SHA1: 11ed145d6583ed95bff36e98e963d90de9959a21
4585. 604 10680
4586. File
4587. Hide
4588.  
4589. C:\ProgramData\System32\xfs
4590. MD5: d7f45b81966f4677f967df09d776cbde
4591. SHA1: 11ed145d6583ed95bff36e98e963d90de9959a21
4592. 604 10680
4593. File
4594. Close
4595.  
4596. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\HTCEvo.xml
4597. MD5: a434771efc92fda02982178f1664393d
4598. SHA1: 921a2fc0ec15de1894d4323cb47e0004c4e8d55a
4599. 604 7690
4600. File
4601. Open
4602.  
4603. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\HTCEvo.xml
4604. MD5: a434771efc92fda02982178f1664393d
4605. SHA1: 921a2fc0ec15de1894d4323cb47e0004c4e8d55a
4606. 604 7690
4607. File
4608. Close
4609.  
4610. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\HTCEvo.xml
4611. MD5: 2e424414185cdf578af400da19f2db5e
4612. SHA1: abe1d349094214b59514a7b8db0babe959916908
4613. 604 7696
4614. File
4615. Rename
4616.  
4617. Old Name: C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\HTCEvo.xml
4618. New Name: C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\bHqXqfQXtqw7Omj+hd6FbDBCdPs8t4DONY99FPziay
4619. k=.7A2F0ADB1B90B147DABB.no_more_ransom
4620. Imagepath: C:\Users\Administrator\AppData\Local\Temp\factura.exe
4621. MD5: 2e424414185cdf578af400da19f2db5e
4622. SHA1: abe1d349094214b59514a7b8db0babe959916908
4623. 604 7696
4624. File
4625. Open
4626.  
4627. C:\ProgramData\System32\xfs
4628. MD5: d7f45b81966f4677f967df09d776cbde
4629. SHA1: 11ed145d6583ed95bff36e98e963d90de9959a21
4630. 604 10680
4631. File
4632. Close
4633.  
4634. C:\ProgramData\System32\xfs
4635. MD5: 32ea53b9c0818d90581228724b1bb307
4636. SHA1: 43c0a85cc0b2d76f7795b4046b4985049e0a9470
4637. 604 10862
4638. File
4639. Hide
4640.  
4641. C:\ProgramData\System32\xfs
4642. MD5: 32ea53b9c0818d90581228724b1bb307
4643. SHA1: 43c0a85cc0b2d76f7795b4046b4985049e0a9470
4644. 604 10862
4645. File
4646. Open
4647.  
4648. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\HTC1X.xml
4649. 604 9129
4650. File
4651. Close
4652.  
4653. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\HTC1X.xml
4654. MD5: 4888779182bf8bd708239876234da33c
4655. SHA1: a100821284bdc40cc0a38a0902818c016c42d978
4656. 604 9513
4657. File
4658. Open
4659.  
4660. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\HTC1X.xml
4661. MD5: 4888779182bf8bd708239876234da33c
4662. SHA1: a100821284bdc40cc0a38a0902818c016c42d978
4663. 604 9513
4664. File
4665. Close
4666.  
4667. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\HTC1X.xml
4668. MD5: 72458a8dc63cd2e5c1d6f5c6be35020a
4669. SHA1: fc9de2cadac28844960366865e16f7bcafbeb4e6
4670. 604 9520
4671. File
4672. Rename
4673.  
4674. Old Name: C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\HTC1X.xml
4675. New Name: C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\fFaLpscuXlh2nN8rxURCAiR5UCQG2U6Giov+u2wmI9
4676. A=.7A2F0ADB1B90B147DABB.no_more_ransom
4677. Imagepath: C:\Users\Administrator\AppData\Local\Temp\factura.exe
4678. MD5: 72458a8dc63cd2e5c1d6f5c6be35020a
4679. SHA1: fc9de2cadac28844960366865e16f7bcafbeb4e6
4680. 604 9520
4681. File
4682. Open
4683.  
4684. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\HTC1S.xml
4685. 604 9398
4686. File
4687. Open
4688.  
4689. C:\ProgramData\System32\xfs
4690. MD5: 32ea53b9c0818d90581228724b1bb307
4691. SHA1: 43c0a85cc0b2d76f7795b4046b4985049e0a9470
4692. 604 10862
4693. File
4694. Close
4695.  
4696. C:\ProgramData\System32\xfs
4697. MD5: 425d93bc2a6ef2c1243c54af7f236f45
4698. SHA1: c910cab4276c22fb737f7ea705ee353b879a16fa
4699. 604 11042
4700. File
4701. Hide
4702.  
4703. C:\ProgramData\System32\xfs
4704. MD5: 425d93bc2a6ef2c1243c54af7f236f45
4705. SHA1: c910cab4276c22fb737f7ea705ee353b879a16fa
4706. 604 11042
4707. File
4708. Close
4709.  
4710. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\HTC1S.xml
4711. MD5: ba0d9b20596496baa1a4d9114a6f57c0
4712. SHA1: 9e7297fd05262a619a3cb29848b97f809763cb4b
4713. 604 9782
4714. File
4715. Open
4716.  
4717. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\HTC1S.xml
4718. MD5: ba0d9b20596496baa1a4d9114a6f57c0
4719. SHA1: 9e7297fd05262a619a3cb29848b97f809763cb4b
4720. 604 9782
4721. File
4722. Close
4723.  
4724. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\HTC1S.xml
4725. MD5: ad0b91e8518e400b018984996039aca5
4726. SHA1: e546e4f61edbd9a112cf61f61ab46599896ed34a
4727. 604 9792
4728. File
4729. Rename
4730.  
4731. Old Name: C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\HTC1S.xml
4732. New Name: C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\RU9znbxpeZf9GsMH5wi8NpqTxtGNDMEs4sN4KKiizh
4733. M=.7A2F0ADB1B90B147DABB.no_more_ransom
4734. Imagepath: C:\Users\Administrator\AppData\Local\Temp\factura.exe
4735. MD5: ad0b91e8518e400b018984996039aca5
4736. SHA1: e546e4f61edbd9a112cf61f61ab46599896ed34a
4737. 604 9792
4738. File
4739. Open
4740.  
4741. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\HTC.xml
4742. 604 7554
4743. File
4744. Open
4745.  
4746. C:\ProgramData\System32\xfs
4747. MD5: 425d93bc2a6ef2c1243c54af7f236f45
4748. SHA1: c910cab4276c22fb737f7ea705ee353b879a16fa
4749. 604 11042
4750. File
4751. Close
4752.  
4753. C:\ProgramData\System32\xfs
4754. MD5: d137c15c7ab90948e800f3d1e8aa2034
4755. SHA1: 77186409ea44bfebc7f88c35aa714c81fa84167a
4756. 604 11222
4757. File
4758. Hide
4759.  
4760. C:\ProgramData\System32\xfs
4761. MD5: d137c15c7ab90948e800f3d1e8aa2034
4762. SHA1: 77186409ea44bfebc7f88c35aa714c81fa84167a
4763. 604 11222
4764. API Call
4765.  
4766. API Name: Sleep Address: 0x0040e6c8
4767. Imagepath: C:\Users\Administrator\AppData\Local\Temp\factura.exe DLL Name: kernel32.dll
4768. 604
4769. High Cpu
4770.  
4771. Imagepath: C:\Users\Administrator\AppData\Local\Temp\factura.exe
4772. 604
4773. Regkey
4774. Setval
4775.  
4776. \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\System32\Configuration\"xcnt" = 66
4777. 604
4778. ProcessTelemetryReport
4779.  
4780. Imagepath: C:\Users\Administrator\AppData\Local\Temp\factura.exe
4781. 604
4782. File
4783. Close
4784.  
4785. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\HTC.xml
4786. MD5: 108519e74ead11e621e22aaa44f17869
4787. SHA1: 597dc8ea5bd62a0bd2ffb6c996663569611bda9e
4788. 604 7938
4789. File
4790. Open
4791.  
4792. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\HTC.xml
4793. MD5: 108519e74ead11e621e22aaa44f17869
4794. SHA1: 597dc8ea5bd62a0bd2ffb6c996663569611bda9e
4795. 604 7938
4796. File
4797. Close
4798.  
4799. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\HTC.xml
4800. MD5: b9fb3451b1f67c38c970a32832fa5b4b
4801. SHA1: 6a60bcc4952b6f159a25c62666dbfeddf8bece72
4802. 604 7952
4803. File
4804. Rename
4805.  
4806. Old Name: C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\HTC.xml
4807. New Name: C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\aRSwpU2l+M-z1SNFjWmv9A==.7A2F0ADB1B90B147D
4808. ABB.no_more_ransom
4809. Imagepath: C:\Users\Administrator\AppData\Local\Temp\factura.exe
4810. MD5: b9fb3451b1f67c38c970a32832fa5b4b
4811. SHA1: 6a60bcc4952b6f159a25c62666dbfeddf8bece72
4812. 604 7952
4813. File
4814. Open
4815.  
4816. C:\ProgramData\System32\xfs
4817. MD5: d137c15c7ab90948e800f3d1e8aa2034
4818. SHA1: 77186409ea44bfebc7f88c35aa714c81fa84167a
4819. 604 11222
4820. File
4821. Close
4822.  
4823. C:\ProgramData\System32\xfs
4824. MD5: 7bfdaf9d9e54f0d325c37a6a938422f2
4825. SHA1: 78df3e627fa3108a6b8d97d55dd6a3f0198a41df
4826. 604 11398
4827. File
4828. Hide
4829.  
4830. C:\ProgramData\System32\xfs
4831. MD5: 7bfdaf9d9e54f0d325c37a6a938422f2
4832. SHA1: 78df3e627fa3108a6b8d97d55dd6a3f0198a41df
4833. 604 11398
4834. File
4835. Open
4836.  
4837. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\Groups.xml
4838. 604 233
4839. File
4840. Close
4841.  
4842. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\Groups.xml
4843. MD5: 92cb14554d0223c2996317551f1ea82c
4844. SHA1: 67092b3bffb5264a1c4dcfe707abbcbac2f4ecf5
4845. 604 617
4846. File
4847. Open
4848.  
4849. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\Groups.xml
4850. MD5: 92cb14554d0223c2996317551f1ea82c
4851. SHA1: 67092b3bffb5264a1c4dcfe707abbcbac2f4ecf5
4852. 604 617
4853. File
4854. Close
4855.  
4856. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\Groups.xml
4857. MD5: 09391d163591391d5287f4ed9d5a3767
4858. SHA1: 589bde79d3da84fdd1d9f2a5c9290bd2faeaf09d
4859. 604 624
4860. File
4861. Rename
4862.  
4863. Old Name: C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\Groups.xml
4864. New Name: C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\-D0JMA3HNfYA20bYPFUmqdCM1huLo4z-ivKQcMzfn0
4865. 0=.7A2F0ADB1B90B147DABB.no_more_ransom
4866. Imagepath: C:\Users\Administrator\AppData\Local\Temp\factura.exe
4867. MD5: 09391d163591391d5287f4ed9d5a3767
4868. SHA1: 589bde79d3da84fdd1d9f2a5c9290bd2faeaf09d
4869. 604 624
4870. File
4871. Open
4872.  
4873. C:\ProgramData\System32\xfs
4874. MD5: 7bfdaf9d9e54f0d325c37a6a938422f2
4875. SHA1: 78df3e627fa3108a6b8d97d55dd6a3f0198a41df
4876. 604 11398
4877. File
4878. Open
4879.  
4880. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\Generic.xml
4881. 604 13985
4882. File
4883. Close
4884.  
4885. C:\ProgramData\System32\xfs
4886. MD5: facc26b694fc1911c7b311bc11dcef18
4887. SHA1: 50a651a70a34dfd80b118b5fd1770bdee7045fc7
4888. 604 11580
4889. File
4890. Hide
4891.  
4892. C:\ProgramData\System32\xfs
4893. MD5: facc26b694fc1911c7b311bc11dcef18
4894. SHA1: 50a651a70a34dfd80b118b5fd1770bdee7045fc7
4895. 604 11580
4896. File
4897. Close
4898.  
4899. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\Generic.xml
4900. MD5: 6ba2f895fe3ace63e6a72100be165a69
4901. SHA1: 1c9fedcf4304639f23de83f31955fb634f15a654
4902. 604 14369
4903. File
4904. Open
4905.  
4906. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\Generic.xml
4907. MD5: 6ba2f895fe3ace63e6a72100be165a69
4908. SHA1: 1c9fedcf4304639f23de83f31955fb634f15a654
4909. 604 14369
4910. File
4911. Close
4912.  
4913. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\Generic.xml
4914. MD5: f60ba83ec82e5c5c91ec5307dc6cd666
4915. SHA1: 863e476df668c5ed173e5e74e91da8c89128a506
4916. 604 14384
4917. File
4918. Rename
4919.  
4920. Old Name: C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\Generic.xml
4921. New Name: C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\hqH5LG3GpZTqU7TOPZDJRPGuwcRCAdoAcHJLVSXuY2
4922. 0=.7A2F0ADB1B90B147DABB.no_more_ransom
4923. Imagepath: C:\Users\Administrator\AppData\Local\Temp\factura.exe
4924. MD5: f60ba83ec82e5c5c91ec5307dc6cd666
4925. SHA1: 863e476df668c5ed173e5e74e91da8c89128a506
4926. 604 14384
4927. File
4928. Open
4929.  
4930. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\Format-wmv.xml
4931. 604 3449
4932. File
4933. Open
4934.  
4935. C:\ProgramData\System32\xfs
4936. MD5: facc26b694fc1911c7b311bc11dcef18
4937. SHA1: 50a651a70a34dfd80b118b5fd1770bdee7045fc7
4938. 604 11580
4939. File
4940. Close
4941.  
4942. C:\ProgramData\System32\xfs
4943. MD5: ef7c514675d640025d7c1ddea494fd52
4944. SHA1: 323260ebb3eff03c5e282b9086c1042961b7fd93
4945. 604 11764
4946. File
4947. Hide
4948.  
4949. C:\ProgramData\System32\xfs
4950. MD5: ef7c514675d640025d7c1ddea494fd52
4951. SHA1: 323260ebb3eff03c5e282b9086c1042961b7fd93
4952. 604 11764
4953. File
4954. Close
4955.  
4956. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\Format-wmv.xml
4957. MD5: f78f2fd3266d2edccbaf4eb3e6b050df
4958. SHA1: db11c469f1e370260c8e6d4b4ab62a4676e4592c
4959. 604 3833
4960. File
4961. Open
4962.  
4963. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\Format-wmv.xml
4964. MD5: f78f2fd3266d2edccbaf4eb3e6b050df
4965. SHA1: db11c469f1e370260c8e6d4b4ab62a4676e4592c
4966. 604 3833
4967. File
4968. Close
4969.  
4970. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\Format-wmv.xml
4971. MD5: d16679d1605724a28fdb7fdec5cfbec7
4972. SHA1: 7a37c1bfe5d27d2159320d64428fe98cde996de4
4973. 604 3840
4974. File
4975. Rename
4976.  
4977. Old Name: C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\Format-wmv.xml
4978. New Name: C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\W1eSW9DUhh0cKr0petl++q6VcmZsMXs8Tzsvb4WMB5
4979. g=.7A2F0ADB1B90B147DABB.no_more_ransom
4980. Imagepath: C:\Users\Administrator\AppData\Local\Temp\factura.exe
4981. MD5: d16679d1605724a28fdb7fdec5cfbec7
4982. SHA1: 7a37c1bfe5d27d2159320d64428fe98cde996de4
4983. 604 3840
4984. File
4985. Open
4986.  
4987. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\Format-wma.xml
4988. 604 1601
4989. File
4990. Open
4991.  
4992. C:\ProgramData\System32\xfs
4993. MD5: ef7c514675d640025d7c1ddea494fd52
4994. SHA1: 323260ebb3eff03c5e282b9086c1042961b7fd93
4995. 604 11764
4996. File
4997. Close
4998.  
4999. C:\ProgramData\System32\xfs
5000. MD5: 0140f63bb666f9ea8a5acbcbebd3a00d
5001. SHA1: b17b4a73a0b52562c4a5edaf91eebdd6dc401cd6
5002. 604 11954
5003. File
5004. Hide
5005.  
5006. C:\ProgramData\System32\xfs
5007. MD5: 0140f63bb666f9ea8a5acbcbebd3a00d
5008. SHA1: b17b4a73a0b52562c4a5edaf91eebdd6dc401cd6
5009. 604 11954
5010. File
5011. Close
5012.  
5013. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\Format-wma.xml
5014. MD5: ad8f0a98fba13937d76da657d1e21697
5015. SHA1: d2d1acbb3d77f40addfdebc8fd078aa5f225507e
5016. 604 1985
5017. File
5018. Open
5019.  
5020. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\Format-wma.xml
5021. MD5: ad8f0a98fba13937d76da657d1e21697
5022. SHA1: d2d1acbb3d77f40addfdebc8fd078aa5f225507e
5023. 604 1985
5024. File
5025. Close
5026.  
5027. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\Format-wma.xml
5028. MD5: 976bc81285d81f40b83063dd62345058
5029. SHA1: 8ff038a01b37ff19d7a5a450f7dc25825a843ffa
5030. 604 2000
5031. File
5032. Rename
5033.  
5034. Old Name: C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\Format-wma.xml
5035. New Name: C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\-niGLRZdtFa3W8Bwl9D5BIzDmuhOU+4BQ2rmE7Jhlk
5036. U=.7A2F0ADB1B90B147DABB.no_more_ransom
5037. Imagepath: C:\Users\Administrator\AppData\Local\Temp\factura.exe
5038. MD5: 976bc81285d81f40b83063dd62345058
5039. SHA1: 8ff038a01b37ff19d7a5a450f7dc25825a843ffa
5040. 604 2000
5041. File
5042. Open
5043.  
5044. C:\ProgramData\System32\xfs
5045. MD5: 0140f63bb666f9ea8a5acbcbebd3a00d
5046. SHA1: b17b4a73a0b52562c4a5edaf91eebdd6dc401cd6
5047. 604 11954
5048. File
5049. Close
5050.  
5051. C:\ProgramData\System32\xfs
5052. MD5: 92c340aa6a5a8b0442add3f888b2b6b2
5053. SHA1: f1cf39263adfb16fc96660792d71da006065e8f1
5054. 604 12144
5055. File
5056. Hide
5057.  
5058. C:\ProgramData\System32\xfs
5059. MD5: 92c340aa6a5a8b0442add3f888b2b6b2
5060. SHA1: f1cf39263adfb16fc96660792d71da006065e8f1
5061. 604 12144
5062. File
5063. Open
5064.  
5065. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\Format-wav.xml
5066. 604 869
5067. File
5068. Close
5069.  
5070. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\Format-wav.xml
5071. MD5: a9370844adeeaa93b7866522f41cdb91
5072. SHA1: f8dc6c036d7268eb0bb604c4ad7b49696f40377b
5073. 604 1253
5074. File
5075. Open
5076.  
5077. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\Format-wav.xml
5078. MD5: a9370844adeeaa93b7866522f41cdb91
5079. SHA1: f8dc6c036d7268eb0bb604c4ad7b49696f40377b
5080. 604 1253
5081. File
5082. Close
5083.  
5084. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\Format-wav.xml
5085. MD5: fc5e4f0ad3ece153c024765e3196f7e7
5086. SHA1: a4628506c3de4f5f954a598d5b9a2175d49b97aa
5087. 604 1264
5088. File
5089. Rename
5090.  
5091. Old Name: C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\Format-wav.xml
5092. New Name: C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\XLuqOg5Qu5-XHyiXPjV6f-TOULPEcOQ76AUCQShwBP
5093. Y=.7A2F0ADB1B90B147DABB.no_more_ransom
5094. Imagepath: C:\Users\Administrator\AppData\Local\Temp\factura.exe
5095. MD5: fc5e4f0ad3ece153c024765e3196f7e7
5096. SHA1: a4628506c3de4f5f954a598d5b9a2175d49b97aa
5097. 604 1264
5098. File
5099. Open
5100.  
5101. C:\ProgramData\System32\xfs
5102. MD5: 92c340aa6a5a8b0442add3f888b2b6b2
5103. SHA1: f1cf39263adfb16fc96660792d71da006065e8f1
5104. 604 12144
5105. File
5106. Open
5107.  
5108. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\Format-rv.xml
5109. 604 3736
5110. File
5111. Close
5112.  
5113. C:\ProgramData\System32\xfs
5114. MD5: 2331f0ec18e8600bab81cde12524babe
5115. SHA1: 585bd428ecf4f63b5fc9f8bb5f223726201aa39d
5116. 604 12334
5117. File
5118. Hide
5119.  
5120. C:\ProgramData\System32\xfs
5121. MD5: 2331f0ec18e8600bab81cde12524babe
5122. SHA1: 585bd428ecf4f63b5fc9f8bb5f223726201aa39d
5123. 604 12334
5124. File
5125. Close
5126.  
5127. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\Format-rv.xml
5128. MD5: c2e5208f80bfc2b7ad29745fddec5d3a
5129. SHA1: 432150ba364d7932f39c2c7fed481fdfe72a359a
5130. 604 4120
5131. File
5132. Open
5133.  
5134. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\Format-rv.xml
5135. MD5: c2e5208f80bfc2b7ad29745fddec5d3a
5136. SHA1: 432150ba364d7932f39c2c7fed481fdfe72a359a
5137. 604 4120
5138. File
5139. Close
5140.  
5141. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\Format-rv.xml
5142. MD5: e3074ff103a28efe8c000b9da4c24499
5143. SHA1: a369839b0465fafc9e49ead344b380eb22aba0f6
5144. 604 4128
5145. File
5146. Rename
5147.  
5148. Old Name: C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\Format-rv.xml
5149. New Name: C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\wv4kbE3vTkkVITNgG+1OxDgZwr25gxRiXsszu6Au+n
5150. 8=.7A2F0ADB1B90B147DABB.no_more_ransom
5151. Imagepath: C:\Users\Administrator\AppData\Local\Temp\factura.exe
5152. MD5: e3074ff103a28efe8c000b9da4c24499
5153. SHA1: a369839b0465fafc9e49ead344b380eb22aba0f6
5154. 604 4128
5155. File
5156. Open
5157.  
5158. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\Format-ral.xml
5159. 604 929
5160. File
5161. Open
5162.  
5163. C:\ProgramData\System32\xfs
5164. MD5: 2331f0ec18e8600bab81cde12524babe
5165. SHA1: 585bd428ecf4f63b5fc9f8bb5f223726201aa39d
5166. 604 12334
5167. File
5168. Close
5169.  
5170. C:\ProgramData\System32\xfs
5171. MD5: 32c32ddf6dd2c0bb70e47d4faa3fe015
5172. SHA1: 039ed11333a50682c6c9740215a25b40608e37cb
5173. 604 12522
5174. File
5175. Hide
5176.  
5177. C:\ProgramData\System32\xfs
5178. MD5: 32c32ddf6dd2c0bb70e47d4faa3fe015
5179. SHA1: 039ed11333a50682c6c9740215a25b40608e37cb
5180. 604 12522
5181. File
5182. Close
5183.  
5184. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\Format-ral.xml
5185. MD5: ec8cc3044de2f86f84e49c25dd651f32
5186. SHA1: f6e31c920df983c5363b57ba7f0c6c645d188af3
5187. 604 1313
5188. File
5189. Open
5190.  
5191. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\Format-ral.xml
5192. MD5: ec8cc3044de2f86f84e49c25dd651f32
5193. SHA1: f6e31c920df983c5363b57ba7f0c6c645d188af3
5194. 604 1313
5195. File
5196. Close
5197.  
5198. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\Format-ral.xml
5199. MD5: 3a28cdabdd7dcbf429c4cdd72141730c
5200. SHA1: 0332f1e5b24f7f396223a3ec81b2d1ad7e486a98
5201. 604 1328
5202. File
5203. Rename
5204.  
5205. Old Name: C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\Format-ral.xml
5206. New Name: C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\ESF30494qREgUqyO-4wutBiKh6RJdj+9R6oBQeqTM7
5207. 4=.7A2F0ADB1B90B147DABB.no_more_ransom
5208. Imagepath: C:\Users\Administrator\AppData\Local\Temp\factura.exe
5209. MD5: 3a28cdabdd7dcbf429c4cdd72141730c
5210. SHA1: 0332f1e5b24f7f396223a3ec81b2d1ad7e486a98
5211. 604 1328
5212. File
5213. Open
5214.  
5215. C:\ProgramData\System32\xfs
5216. MD5: 32c32ddf6dd2c0bb70e47d4faa3fe015
5217. SHA1: 039ed11333a50682c6c9740215a25b40608e37cb
5218. 604 12522
5219. File
5220. Open
5221.  
5222. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\Format-ra10.xml
5223. 604 1507
5224. File
5225. Close
5226.  
5227. C:\ProgramData\System32\xfs
5228. MD5: 22eab5a69802595c4d44e69be54ef20b
5229. SHA1: 3bf1a33c92610aedc4352a8dc1994ec22e84c5a4
5230. 604 12712
5231. File
5232. Hide
5233.  
5234. C:\ProgramData\System32\xfs
5235. MD5: 22eab5a69802595c4d44e69be54ef20b
5236. SHA1: 3bf1a33c92610aedc4352a8dc1994ec22e84c5a4
5237. 604 12712
5238. File
5239. Close
5240.  
5241. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\Format-ra10.xml
5242. MD5: 11cdcb383dc22f04700c197aff9edc44
5243. SHA1: 93fcf4fbfcfc6467e07b9315722ab2cbd2fd2a45
5244. 604 1891
5245. File
5246. Open
5247.  
5248. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\Format-ra10.xml
5249. MD5: 11cdcb383dc22f04700c197aff9edc44
5250. SHA1: 93fcf4fbfcfc6467e07b9315722ab2cbd2fd2a45
5251. 604 1891
5252. File
5253. Close
5254.  
5255. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\Format-ra10.xml
5256. MD5: ee57ebc3996d633fbb56a9cc51f91ef9
5257. SHA1: da7fc76e026dffd3b96cec656f87401e13aaeec0
5258. 604 1904
5259. File
5260. Rename
5261.  
5262. Old Name: C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\Format-ra10.xml
5263. New Name: C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\2ZtJKEwIvkV8sYhNajp9AuXkg5LjhNA+MiG-bZK4wE
5264. w=.7A2F0ADB1B90B147DABB.no_more_ransom
5265. Imagepath: C:\Users\Administrator\AppData\Local\Temp\factura.exe
5266. MD5: ee57ebc3996d633fbb56a9cc51f91ef9
5267. SHA1: da7fc76e026dffd3b96cec656f87401e13aaeec0
5268. 604 1904
5269. File
5270. Open
5271.  
5272. C:\ProgramData\System32\xfs
5273. MD5: 22eab5a69802595c4d44e69be54ef20b
5274. SHA1: 3bf1a33c92610aedc4352a8dc1994ec22e84c5a4
5275. 604 12712
5276. File
5277. Close
5278.  
5279. C:\ProgramData\System32\xfs
5280. MD5: 0873147a6aaa5e4b1c0cf592f455fe64
5281. SHA1: c4c292ebb5fe238c2cde93fa7f002aea7b03fdd4
5282. 604 12904
5283. File
5284. Hide
5285.  
5286. C:\ProgramData\System32\xfs
5287. MD5: 0873147a6aaa5e4b1c0cf592f455fe64
5288. SHA1: c4c292ebb5fe238c2cde93fa7f002aea7b03fdd4
5289. 604 12904
5290. File
5291. Open
5292.  
5293. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\Format-mp4.xml
5294. 604 3178
5295. File
5296. Close
5297.  
5298. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\Format-mp4.xml
5299. MD5: 6d4fd729d5a9c1107247aaad61b60039
5300. SHA1: a8d38fe63ae6af1e270e91fca2a8c16a4778618c
5301. 604 3562
5302. File
5303. Open
5304.  
5305. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\Format-mp4.xml
5306. MD5: 6d4fd729d5a9c1107247aaad61b60039
5307. SHA1: a8d38fe63ae6af1e270e91fca2a8c16a4778618c
5308. 604 3562
5309. File
5310. Close
5311.  
5312. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\Format-mp4.xml
5313. MD5: 96688ca879566f9560f2efda67506650
5314. SHA1: 923c4e194483607287ac1b94c76390850520f691
5315. 604 3568
5316. File
5317. Rename
5318.  
5319. Old Name: C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\Format-mp4.xml
5320. New Name: C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\VnjG3JfRn2B1G0EZefSXX1ClB+mg5KKJx5UNf84z3-
5321. k=.7A2F0ADB1B90B147DABB.no_more_ransom
5322. Imagepath: C:\Users\Administrator\AppData\Local\Temp\factura.exe
5323. MD5: 96688ca879566f9560f2efda67506650
5324. SHA1: 923c4e194483607287ac1b94c76390850520f691
5325. 604 3568
5326. File
5327. Open
5328.  
5329. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\Format-mp3.xml
5330. 604 1330
5331. File
5332. Open
5333.  
5334. C:\ProgramData\System32\xfs
5335. MD5: 0873147a6aaa5e4b1c0cf592f455fe64
5336. SHA1: c4c292ebb5fe238c2cde93fa7f002aea7b03fdd4
5337. 604 12904
5338. File
5339. Close
5340.  
5341. C:\ProgramData\System32\xfs
5342. MD5: 0ffb6876589bef4633bba1ec3ee1dc75
5343. SHA1: 4f19caf3dcabea53c7b9b97cf81200e26a2454f1
5344. 604 13094
5345. File
5346. Hide
5347.  
5348. C:\ProgramData\System32\xfs
5349. MD5: 0ffb6876589bef4633bba1ec3ee1dc75
5350. SHA1: 4f19caf3dcabea53c7b9b97cf81200e26a2454f1
5351. 604 13094
5352. File
5353. Close
5354.  
5355. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\Format-mp3.xml
5356. MD5: 1ee92dcf64ba278b25639289e1cabfee
5357. SHA1: 3348f80dfa1e72437e2f4d29d618cdd050293912
5358. 604 1714
5359. File
5360. Open
5361.  
5362. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\Format-mp3.xml
5363. MD5: 1ee92dcf64ba278b25639289e1cabfee
5364. SHA1: 3348f80dfa1e72437e2f4d29d618cdd050293912
5365. 604 1714
5366. File
5367. Close
5368.  
5369. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\Format-mp3.xml
5370. MD5: aeaa7e710215ebe88f87cef1c8e6bedb
5371. SHA1: 8bc0a2e5d5ddabb27d6bff89da564c75ecbb1917
5372. 604 1728
5373. File
5374. Rename
5375.  
5376. Old Name: C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\Format-mp3.xml
5377. New Name: C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\9aWFb73eaa96tLoz2dJfTiYX44Asaro8dqKVReVbvH
5378. 8=.7A2F0ADB1B90B147DABB.no_more_ransom
5379. Imagepath: C:\Users\Administrator\AppData\Local\Temp\factura.exe
5380. MD5: aeaa7e710215ebe88f87cef1c8e6bedb
5381. SHA1: 8bc0a2e5d5ddabb27d6bff89da564c75ecbb1917
5382. 604 1728
5383. File
5384. Open
5385.  
5386. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\Format-h264apple.xml
5387. 604 5061
5388. File
5389. Open
5390.  
5391. C:\ProgramData\System32\xfs
5392. MD5: 0ffb6876589bef4633bba1ec3ee1dc75
5393. SHA1: 4f19caf3dcabea53c7b9b97cf81200e26a2454f1
5394. 604 13094
5395. File
5396. Close
5397.  
5398. C:\ProgramData\System32\xfs
5399. MD5: 5bb781d47d4d81f450d109eec3e9f019
5400. SHA1: 4cd92fd070b092e92d071026f0c2647caedd649b
5401. 604 13284
5402. File
5403. Hide
5404.  
5405. C:\ProgramData\System32\xfs
5406. MD5: 5bb781d47d4d81f450d109eec3e9f019
5407. SHA1: 4cd92fd070b092e92d071026f0c2647caedd649b
5408. 604 13284
5409. File
5410. Close
5411.  
5412. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\Format-h264apple.xml
5413. MD5: 03d3ad324d70cf6d48af77184f4ee163
5414. SHA1: 0af230475aaffff933d46fad2e6215218022af0d
5415. 604 5445
5416. File
5417. Open
5418.  
5419. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\Format-h264apple.xml
5420. MD5: 03d3ad324d70cf6d48af77184f4ee163
5421. SHA1: 0af230475aaffff933d46fad2e6215218022af0d
5422. 604 5445
5423. File
5424. Close
5425.  
5426. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\Format-h264apple.xml
5427. MD5: d7cef1215ae478f8eb756e0d999dfb29
5428. SHA1: 1988cacfb4630272e42aa8be071164cdddd1eac0
5429. 604 5456
5430. File
5431. Rename
5432.  
5433. Old Name: C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\Format-h264apple.xml
5434. New Name: C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\Xvb8AH1+3u3cvay-yEd06jZBmwX16RVH1J2UReg8lv
5435. Gn6oWv6QYe6G19gAyotIrn.7A2F0ADB1B90B147DABB.no_more_ransom
5436. Imagepath: C:\Users\Administrator\AppData\Local\Temp\factura.exe
5437. MD5: d7cef1215ae478f8eb756e0d999dfb29
5438. SHA1: 1988cacfb4630272e42aa8be071164cdddd1eac0
5439. 604 5456
5440. File
5441. Open
5442.  
5443. C:\ProgramData\System32\xfs
5444. MD5: 5bb781d47d4d81f450d109eec3e9f019
5445. SHA1: 4cd92fd070b092e92d071026f0c2647caedd649b
5446. 604 13284
5447. File
5448. Open
5449.  
5450. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\Format-h264.xml
5451. 604 3238
5452. File
5453. Close
5454.  
5455. C:\ProgramData\System32\xfs
5456. MD5: 0e14e23c5a429768dae8db374a7b3229
5457. SHA1: d503d92994f4869fbe678a98e4f3129e7df40d4f
5458. 604 13486
5459. File
5460. Hide
5461.  
5462. C:\ProgramData\System32\xfs
5463. MD5: 0e14e23c5a429768dae8db374a7b3229
5464. SHA1: d503d92994f4869fbe678a98e4f3129e7df40d4f
5465. 604 13486
5466. File
5467. Close
5468.  
5469. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\Format-h264.xml
5470. MD5: 91c3999d104ee0bd06bffbaf309e9a56
5471. SHA1: 5fb2df23d87646d27a5fd26543509d2a69233995
5472. 604 3622
5473. File
5474. Open
5475.  
5476. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\Format-h264.xml
5477. MD5: 91c3999d104ee0bd06bffbaf309e9a56
5478. SHA1: 5fb2df23d87646d27a5fd26543509d2a69233995
5479. 604 3622
5480. File
5481. Close
5482.  
5483. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\Format-h264.xml
5484. MD5: f00a91b1c90e8823e55dc95f87a2cb61
5485. SHA1: 2ffbe469b29f005e8cdd021e05bd7be2a4d3277b
5486. 604 3632
5487. File
5488. Rename
5489.  
5490. Old Name: C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\Format-h264.xml
5491. New Name: C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\3te7UM3CwsHEQ5Jqt+c22RKLn7idVTfEzT3wxaMx2f
5492. k=.7A2F0ADB1B90B147DABB.no_more_ransom
5493. Imagepath: C:\Users\Administrator\AppData\Local\Temp\factura.exe
5494. MD5: f00a91b1c90e8823e55dc95f87a2cb61
5495. SHA1: 2ffbe469b29f005e8cdd021e05bd7be2a4d3277b
5496. 604 3632
5497. File
5498. Open
5499.  
5500. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\Format-aac.xml
5501. 604 1331
5502. File
5503. Open
5504.  
5505. C:\ProgramData\System32\xfs
5506. MD5: 0e14e23c5a429768dae8db374a7b3229
5507. SHA1: d503d92994f4869fbe678a98e4f3129e7df40d4f
5508. 604 13486
5509. File
5510. Close
5511.  
5512. C:\ProgramData\System32\xfs
5513. MD5: ee78c6bcff9ad38475bc8f1cfe59cc7a
5514. SHA1: 533d35f66c0a34d32b513d2a8eee22fb343d4b9a
5515. 604 13678
5516. File
5517. Hide
5518.  
5519. C:\ProgramData\System32\xfs
5520. MD5: ee78c6bcff9ad38475bc8f1cfe59cc7a
5521. SHA1: 533d35f66c0a34d32b513d2a8eee22fb343d4b9a
5522. 604 13678
5523. File
5524. Close
5525.  
5526. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\Format-aac.xml
5527. MD5: df0f730dbc6c1c8ceaf7ef2708dc744a
5528. SHA1: c57d39a241ea3d32fb928d7f542d49a149c6800d
5529. 604 1715
5530. File
5531. Open
5532.  
5533. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\Format-aac.xml
5534. MD5: df0f730dbc6c1c8ceaf7ef2708dc744a
5535. SHA1: c57d39a241ea3d32fb928d7f542d49a149c6800d
5536. 604 1715
5537. File
5538. Close
5539.  
5540. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\Format-aac.xml
5541. MD5: c66aeb3d3d68a09b563fa1676c85320b
5542. SHA1: 861322d2ede4d5108bfdb9d60e6df1376e16ee86
5543. 604 1728
5544. File
5545. Rename
5546.  
5547. Old Name: C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\Format-aac.xml
5548. New Name: C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\26GrUqNW1h5f0Mv4uU7+nFqpQ2Vj03SYOZDV-m6QCv
5549. 4=.7A2F0ADB1B90B147DABB.no_more_ransom
5550. Imagepath: C:\Users\Administrator\AppData\Local\Temp\factura.exe
5551. MD5: c66aeb3d3d68a09b563fa1676c85320b
5552. SHA1: 861322d2ede4d5108bfdb9d60e6df1376e16ee86
5553. 604 1728
5554. File
5555. Open
5556.  
5557. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\Format-3gp.xml
5558. 604 2708
5559. File
5560. Open
5561.  
5562. C:\ProgramData\System32\xfs
5563. MD5: ee78c6bcff9ad38475bc8f1cfe59cc7a
5564. SHA1: 533d35f66c0a34d32b513d2a8eee22fb343d4b9a
5565. 604 13678
5566. File
5567. Close
5568.  
5569. C:\ProgramData\System32\xfs
5570. MD5: f51287c2a41ba93e942c3bd03d8779d1
5571. SHA1: f0aeffcae023aacda3b64d7e4f4770014c88e66c
5572. 604 13868
5573. File
5574. Hide
5575.  
5576. C:\ProgramData\System32\xfs
5577. MD5: f51287c2a41ba93e942c3bd03d8779d1
5578. SHA1: f0aeffcae023aacda3b64d7e4f4770014c88e66c
5579. 604 13868
5580. File
5581. Close
5582.  
5583. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\Format-3gp.xml
5584. MD5: ddd7b63545db76d1dd8751b0e38e06b4
5585. SHA1: 31a25f36ddcfb8331c1bc8b9275d24b3a7b3dcdf
5586. 604 3092
5587. File
5588. Open
5589.  
5590. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\Format-3gp.xml
5591. MD5: ddd7b63545db76d1dd8751b0e38e06b4
5592. SHA1: 31a25f36ddcfb8331c1bc8b9275d24b3a7b3dcdf
5593. 604 3092
5594. File
5595. Close
5596.  
5597. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\Format-3gp.xml
5598. MD5: d8ad1a1dee9d3d9012dfce2aab5ec330
5599. SHA1: 21be739135694ee4188fdead774cda5079425ce4
5600. 604 3104
5601. File
5602. Rename
5603.  
5604. Old Name: C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\Format-3gp.xml
5605. New Name: C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\UWG-ktkHumCkVu8nBdRlWrvEw+EBUU4IYhkwyMGrwY
5606. E=.7A2F0ADB1B90B147DABB.no_more_ransom
5607. Imagepath: C:\Users\Administrator\AppData\Local\Temp\factura.exe
5608. MD5: d8ad1a1dee9d3d9012dfce2aab5ec330
5609. SHA1: 21be739135694ee4188fdead774cda5079425ce4
5610. 604 3104
5611. File
5612. Open
5613.  
5614. C:\ProgramData\System32\xfs
5615. MD5: f51287c2a41ba93e942c3bd03d8779d1
5616. SHA1: f0aeffcae023aacda3b64d7e4f4770014c88e66c
5617. 604 13868
5618. File
5619. Open
5620.  
5621. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\Custom.xml
5622. 604 13789
5623. File
5624. Close
5625.  
5626. C:\ProgramData\System32\xfs
5627. MD5: 8537d52b4e353059734c55aec90eea11
5628. SHA1: 6a97dab984864ecb8bbb1a4fdaf1178861c1e051
5629. 604 14058
5630. File
5631. Hide
5632.  
5633. C:\ProgramData\System32\xfs
5634. MD5: 8537d52b4e353059734c55aec90eea11
5635. SHA1: 6a97dab984864ecb8bbb1a4fdaf1178861c1e051
5636. 604 14058
5637. File
5638. Close
5639.  
5640. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\Custom.xml
5641. MD5: 5a245a647fa97c0ca828a667296fbdff
5642. SHA1: cd26cd765978e408bef32d359b478674efd71dfc
5643. 604 14173
5644. File
5645. Open
5646.  
5647. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\Custom.xml
5648. MD5: 5a245a647fa97c0ca828a667296fbdff
5649. SHA1: cd26cd765978e408bef32d359b478674efd71dfc
5650. 604 14173
5651. File
5652. Close
5653.  
5654. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\Custom.xml
5655. MD5: e7df79c905c570649e17d5b761b4e581
5656. SHA1: d1dc329256662e8abccc1b44fbf0451b9e472998
5657. 604 14176
5658. File
5659. Rename
5660.  
5661. Old Name: C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\Custom.xml
5662. New Name: C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\cIso+FvEtOBev3kx1ypCQVlvfDUnzXklCZ1TPHm6tZ
5663. A=.7A2F0ADB1B90B147DABB.no_more_ransom
5664. Imagepath: C:\Users\Administrator\AppData\Local\Temp\factura.exe
5665. MD5: e7df79c905c570649e17d5b761b4e581
5666. SHA1: d1dc329256662e8abccc1b44fbf0451b9e472998
5667. 604 14176
5668. File
5669. Open
5670.  
5671. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\Cellphone.xml
5672. 604 3285
5673. File
5674. Open
5675.  
5676. C:\ProgramData\System32\xfs
5677. MD5: 8537d52b4e353059734c55aec90eea11
5678. SHA1: 6a97dab984864ecb8bbb1a4fdaf1178861c1e051
5679. 604 14058
5680. File
5681. Close
5682.  
5683. C:\ProgramData\System32\xfs
5684. MD5: 9ae0c2608081bcc67e80aa59d28a44e0
5685. SHA1: 3086ab5e43362971b3756b3bc1b1e01775185a98
5686. 604 14240
5687. File
5688. Hide
5689.  
5690. C:\ProgramData\System32\xfs
5691. MD5: 9ae0c2608081bcc67e80aa59d28a44e0
5692. SHA1: 3086ab5e43362971b3756b3bc1b1e01775185a98
5693. 604 14240
5694. File
5695. Close
5696.  
5697. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\Cellphone.xml
5698. MD5: e181a5dc410ebe4c6ca45bc2e656ccf7
5699. SHA1: 9a94610deba18e2242631f8b3ef030d1c207f3c9
5700. 604 3669
5701. File
5702. Open
5703.  
5704. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\Cellphone.xml
5705. MD5: e181a5dc410ebe4c6ca45bc2e656ccf7
5706. SHA1: 9a94610deba18e2242631f8b3ef030d1c207f3c9
5707. 604 3669
5708. File
5709. Close
5710.  
5711. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\Cellphone.xml
5712. MD5: 1c39e28b7125bdda8f05a6a3c6109f05
5713. SHA1: 73354886d36e5854966406db8f49dee945df2c60
5714. 604 3680
5715. File
5716. Rename
5717.  
5718. Old Name: C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\Cellphone.xml
5719. New Name: C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\uIleu+aNka9l8RN2Ed-LadSCP+D0vzsUQDh5K9pYsp
5720. M=.7A2F0ADB1B90B147DABB.no_more_ransom
5721. Imagepath: C:\Users\Administrator\AppData\Local\Temp\factura.exe
5722. MD5: 1c39e28b7125bdda8f05a6a3c6109f05
5723. SHA1: 73354886d36e5854966406db8f49dee945df2c60
5724. 604 3680
5725. File
5726. Open
5727.  
5728. C:\ProgramData\System32\xfs
5729. MD5: 9ae0c2608081bcc67e80aa59d28a44e0
5730. SHA1: 3086ab5e43362971b3756b3bc1b1e01775185a98
5731. 604 14240
5732. File
5733. Open
5734.  
5735. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\BlackberryStorm2.xml
5736. 604 9183
5737. File
5738. Close
5739.  
5740. C:\ProgramData\System32\xfs
5741. MD5: 0457eca8e7be4e0a3f26b1e4906d8747
5742. SHA1: a1eeaec2617649f5997672f02fb00c3f7cceb9a0
5743. 604 14428
5744. File
5745. Hide
5746.  
5747. C:\ProgramData\System32\xfs
5748. MD5: 0457eca8e7be4e0a3f26b1e4906d8747
5749. SHA1: a1eeaec2617649f5997672f02fb00c3f7cceb9a0
5750. 604 14428
5751. File
5752. Close
5753.  
5754. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\BlackberryStorm2.xml
5755. MD5: 13b983e62b2147f0a5f8587ba614bcd4
5756. SHA1: 63f2b53417f9ee19532a93e6889e07135c29793b
5757. 604 9567
5758. File
5759. Open
5760.  
5761. C:\ProgramData\RealNetworks\RealDownloader\DeviceProfiles\BlackberryStorm2.xml
5762. MD5: 13b983e62b2147f0a5f8587ba614bcd4
5763. SHA1: 63f2b53417f9ee19532a93e6889e07135c29793b
5764. 604 9567
5765. 2285 Repeated items skipped
5766. File
5767. Rename
5768.  
5769. Old Name: C:\Users\Administrator\AppData\Local\Google\Chrome\Application\40.0.2214.115\PepperFlash\manifest.js
5770. on
5771. New Name: C:\Users\Administrator\AppData\Local\Google\Chrome\Application\40.0.2214.115\PepperFlash\EZxDgVm0bEh
5772. tthCUAB74zg4uD7vkIIb7aPsz3UhEAi4=.7A2F0ADB1B90B147DABB.no_more_ransom
5773. Imagepath: C:\Users\Administrator\AppData\Local\Temp\factura.exe
5774. 604 2432
5775. File
5776. Hide
5777.  
5778. C:\ProgramData\System32\xfs
5779. MD5: e5166eaac2bea37aff3e7b958b76dbb6
5780. SHA1: 587268fbe33d8c9284aebf4f31c9b0ac68a8df16
5781. 604 212178
5782. Appexception
5783.  
5784. Exception Faulting Address: 0x246b1289 Exception Code: 0xc0000005 Exception Level: SECOND_CHANCE
5785. Exception Type: STATUS_ACCESS_VIOLATION Instruction Address: 0x000007fefc14ac25
5786. Description: N/A Imagepath: C:\Windows\explorer.exe
5787.  
5788. Call Stack:
5789. Frame No. Instruction Addr. Module Name Symbol Name SD
5790. 1676
5791. Malicious Alert
5792. Application Crash Activity
5793.  
5794. Message: Application crash detected
5795.  
5796. Malicious Alert
5797. Misc Anom
5798.  
5799. Message: Suspicious Persistence Behavior
5800.  
5801. Malicious Alert
5802. Misc Anom
5803.  
5804. Message: System file created, modified, or overwritten
5805.  
5806. OS Change Detail (version: 1.2767) | Items: 602 | OS Info: Microsoft WindowsXP 32-bit 5.1 sp3 16.0901 Top
5807. Type Mode/Class Details (Path/Message/Protocol/Hostname/Qtype/ListenPort etc.) Process ID Parent ID File Size
5808. Analysis
5809. Malware
5810.  
5811.  
5812. Application
5813.  
5814.  
5815. 3 Repeated items skipped
5816. Config Update
5817.  
5818.  
5819. Process
5820. Started
5821.  
5822. C:\Documents and Settings\admin\Local Settings\Temp\factura.exe
5823. Parentname: C:\WINDOWS\explorer.exe
5824. Command Line: "C:\DOCUME~1\admin\LOCALS~1\Temp\factura.exe"
5825. MD5: 9995a1c9ecf2a84bb9da752dfc43cbe8
5826. SHA1: d54dcd18d30fc944347b994376282c9ec1b7467d
5827. 3728 648 1206863
5828. File
5829. Failed
5830.  
5831. C:\DOCUME~1\admin\LOCALS~1\Temp\LPK.DLL
5832. 3728
5833. File
5834. Failed
5835.  
5836. C:\DOCUME~1\admin\LOCALS~1\Temp\USP10.dll
5837. 3728
5838. QuerySystemTime
5839.  
5840. Imagepath: C:\Documents and Settings\admin\Local Settings\Temp\factura.exe
5841. 3728
5842. Regkey
5843. Queryvalue
5844.  
5845. \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\ComputerName\ActiveComputerName\"ComputerName"
5846. 3728
5847. File
5848. Failed
5849.  
5850. C:\DOCUME~1\admin\LOCALS~1\Temp\kyEFJiaNlv
5851. 3728
5852. 2 Repeated items skipped
5853. File
5854. Failed
5855.  
5856. C:\WINDOWS\system32\kyEFJiaNlv
5857. 3728
5858. File
5859. Failed
5860.  
5861. C:\WINDOWS\system\kyEFJiaNlv
5862. 3728
5863. File
5864. Failed
5865.  
5866. C:\WINDOWS\kyEFJiaNlv
5867. 3728
5868. File
5869. Failed
5870.  
5871. C:\WINDOWS\system32\kyEFJiaNlv
5872. 3728
5873. File
5874. Failed
5875.  
5876. C:\WINDOWS\kyEFJiaNlv
5877. 3728
5878. File
5879. Failed
5880.  
5881. C:\WINDOWS\system32\wbem\kyEFJiaNlv
5882. 3728
5883. File
5884. Failed
5885.  
5886. C:\Program Files\Skype\Phone\kyEFJiaNlv
5887. 3728
5888. File
5889. Failed
5890.  
5891. C:\Program Files\QuickTime\QTSystem\kyEFJiaNlv
5892. 3728
5893. File
5894. Failed
5895.  
5896. C:\WINDOWS\system32\WindowsPowerShell\v1.0\kyEFJiaNlv
5897. 3728
5898. File
5899. Failed
5900.  
5901. C:\Program Files\Debugging Tools for Windows (x86)\kyEFJiaNlv
5902. 3728
5903. API Call
5904.  
5905. API Name: GetDesktopWindow Address: 0x004010e0
5906. Imagepath: C:\Documents and Settings\admin\Local Settings\Temp\factura.exe DLL Name: user32.dll
5907. 3728
5908. File
5909. Failed
5910.  
5911. C:\DOCUME~1\admin\LOCALS~1\Temp\rxVwYjlhVy
5912. 3728
5913. 2 Repeated items skipped
5914. File
5915. Failed
5916.  
5917. C:\WINDOWS\system32\rxVwYjlhVy
5918. 3728
5919. File
5920. Failed
5921.  
5922. C:\WINDOWS\system\rxVwYjlhVy
5923. 3728
5924. File
5925. Failed
5926.  
5927. C:\WINDOWS\rxVwYjlhVy
5928. 3728
5929. File
5930. Failed
5931.  
5932. C:\WINDOWS\system32\rxVwYjlhVy
5933. 3728
5934. File
5935. Failed
5936.  
5937. C:\WINDOWS\rxVwYjlhVy
5938. 3728
5939. File
5940. Failed
5941.  
5942. C:\WINDOWS\system32\wbem\rxVwYjlhVy
5943. 3728
5944. File
5945. Failed
5946.  
5947. C:\Program Files\Skype\Phone\rxVwYjlhVy
5948. 3728
5949. File
5950. Failed
5951.  
5952. C:\Program Files\QuickTime\QTSystem\rxVwYjlhVy
5953. 3728
5954. File
5955. Failed
5956.  
5957. C:\WINDOWS\system32\WindowsPowerShell\v1.0\rxVwYjlhVy
5958. 3728
5959. File
5960. Failed
5961.  
5962. C:\Program Files\Debugging Tools for Windows (x86)\rxVwYjlhVy
5963. 3728
5964. API Call
5965.  
5966. API Name: GetSystemDirectoryA Address: 0x77121df1
5967. Params: [0x771a1290, 260]
5968. Imagepath: C:\Documents and Settings\admin\Local Settings\Temp\factura.exe DLL Name: kernel32.dll
5969. 3728
5970. File
5971. Failed
5972.  
5973. C:\DOCUME~1\admin\LOCALS~1\Temp\WS2_32.dll
5974. 3728
5975. File
5976. Failed
5977.  
5978. C:\DOCUME~1\admin\LOCALS~1\Temp\WS2HELP.dll
5979. 3728
5980. File
5981. Failed
5982.  
5983. C:\DOCUME~1\admin\LOCALS~1\Temp\netapi32.dll
5984. 3728
5985. Regkey
5986. Added
5987.  
5988. \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
5989. 3728
5990. Regkey
5991. Setval
5992.  
5993. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\"Common AppData"
5994. = C:\Documents and Settings\All Users\Application Data
5995. 3728
5996. Regkey
5997. Added
5998.  
5999. \REGISTRY\USER\S-1-5-21-1409082233-688789844-725345543-1003\Software\Microsoft\Windows\CurrentVersio
6000. n\Explorer\User Shell Folders
6001. 3728
6002. Regkey
6003. Added
6004.  
6005. \REGISTRY\USER\S-1-5-21-1409082233-688789844-725345543-1003\Software\Microsoft\Windows\CurrentVersio
6006. n\Explorer\Shell Folders
6007. 3728
6008. Regkey
6009. Setval
6010.  
6011. \REGISTRY\USER\S-1-5-21-1409082233-688789844-725345543-1003\Software\Microsoft\Windows\CurrentVersio
6012. n\Explorer\Shell Folders\"AppData" = C:\Documents and Settings\admin\Application Data
6013. 3728
6014. API Call
6015.  
6016. API Name: GetComputerNameW Address: 0x00413a3c
6017. Params: [0x12fb4c, 0x12fb8c]
6018. Imagepath: C:\Documents and Settings\admin\Local Settings\Temp\factura.exe DLL Name: kernel32.dll
6019. 3728
6020. Regkey
6021. Queryvalue
6022.  
6023. \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\ComputerName\ActiveComputerName\"ComputerName"
6024. 3728
6025. API Call
6026.  
6027. API Name: GetSystemDirectoryW Address: 0x00413bac
6028. Params: [0x12f984, 260]
6029. Imagepath: C:\Documents and Settings\admin\Local Settings\Temp\factura.exe DLL Name: kernel32.dll
6030. 3728
6031. Regkey
6032. Added
6033.  
6034. \REGISTRY\MACHINE\SOFTWARE\System32\Configuration\
6035. 3728
6036. Regkey
6037. Added
6038.  
6039. \REGISTRY\MACHINE\SOFTWARE\System32
6040. 3728
6041. Regkey
6042. Added
6043.  
6044. \REGISTRY\MACHINE\SOFTWARE\System32\Configuration
6045. 3728
6046. Regkey
6047. Setval
6048.  
6049. \REGISTRY\MACHINE\SOFTWARE\System32\Configuration\"xi" = 4F3773E1C2AF79622E62
6050. 3728
6051. File
6052. Failed
6053.  
6054. C:\Documents and Settings\All Users\Application Data\SYSTEM32\XVERSION
6055. 3728
6056. File
6057. Failed
6058.  
6059. C:\Documents and Settings\admin\Application Data\SYSTEM32\XVERSION
6060. 3728
6061. File
6062. Failed
6063.  
6064. C:\Documents and Settings\All Users\Application Data\Windows
6065. 3728
6066. Folder
6067. Created
6068.  
6069. C:\Documents and Settings\All Users\Application Data\Windows
6070. 3728
6071. Folder
6072. Created
6073.  
6074. C:\Documents and Settings\admin\Local Settings\Temp\6893A5D897
6075. 3728
6076. Folder
6077. Hide
6078.  
6079. C:\Documents and Settings\All Users\Application Data\Windows
6080. 3728
6081. File
6082. Failed
6083.  
6084. C:\Documents and Settings\All Users\Application Data\Windows\csrss.exe
6085. 3728
6086. File
6087. Created
6088.  
6089. C:\Documents and Settings\All Users\Application Data\Windows\csrss.exe
6090. 3728
6091. Malicious Alert
6092. Malicious Directory
6093.  
6094. Message: Executable file created in suspicious location
6095.  
6096. Malicious Alert
6097. Misc Anom
6098.  
6099. Message: Generic Trojan Behavior
6100.  
6101. API Call
6102.  
6103. API Name: SetProcessDEPPolicy Address: 0x00470bd9
6104. Params: [1]
6105. Imagepath: C:\Documents and Settings\admin\Local Settings\Temp\factura.exe DLL Name: kernel32.dll
6106. 3728
6107. API Call
6108.  
6109. API Name: CryptAcquireContextW Address: 0x004247f1
6110. Params: [NULL, NULL, 1, 4026531840]
6111. Imagepath: C:\Documents and Settings\admin\Local Settings\Temp\factura.exe DLL Name: advapi32.dll
6112. 3728
6113. File
6114. Failed
6115.  
6116. C:\DOCUME~1\admin\LOCALS~1\Temp\rsaenh.dll
6117. 3728
6118. 2 Repeated items skipped
6119. File
6120. Close
6121.  
6122. C:\Documents and Settings\All Users\Application Data\Windows\csrss.exe
6123. MD5: 9995a1c9ecf2a84bb9da752dfc43cbe8
6124. SHA1: d54dcd18d30fc944347b994376282c9ec1b7467d
6125. 3728 1206863
6126. Regkey
6127. Added
6128.  
6129. \REGISTRY\USER\S-1-5-21-1409082233-688789844-725345543-1003\SOFTWARE\Microsoft\Windows\CurrentVersio
6130. n\Run\
6131. 3728
6132. Regkey
6133. Setval
6134.  
6135. \REGISTRY\USER\S-1-5-21-1409082233-688789844-725345543-1003\Software\Microsoft\Windows\CurrentVersio
6136. n\Run\"Client Server Runtime Subsystem" = "C:\Documents and Settings\All Users\Application Data\W
6137. indows\csrss.exe"
6138. 3728
6139. Malicious Alert
6140. Suspicious Persistance Activity
6141.  
6142. Message: Startup services added for file in suspicious folder
6143.  
6144. Malicious Alert
6145. Misc Anom
6146.  
6147. Message: Suspicious Persistence Activity
6148.  
6149. Regkey
6150. Added
6151.  
6152. \REGISTRY\MACHINE\SOFTWARE\System32\Configuration\
6153. 3728
6154. API Call
6155.  
6156. API Name: Sleep Address: 0x0040de21
6157. Params: [100]
6158. Imagepath: C:\Documents and Settings\admin\Local Settings\Temp\factura.exe DLL Name: kernel32.dll
6159. 3728
6160. Regkey
6161. Setval
6162.  
6163. \REGISTRY\MACHINE\SOFTWARE\System32\Configuration\"xVersion" = 4.0.0.1
6164. 3728
6165. File
6166. Failed
6167.  
6168. C:\DOCUME~1\admin\LOCALS~1\Temp\rsaenh.dll
6169. 3728
6170. File
6171. Failed
6172.  
6173. C:\DOCUME~1\admin\LOCALS~1\Temp\crypt32.dll
6174. 3728
6175. API Call
6176.  
6177. API Name: Sleep Address: 0x0040de21
6178. Params: [100]
6179. Imagepath: C:\Documents and Settings\admin\Local Settings\Temp\factura.exe DLL Name: kernel32.dll
6180. 3728
6181. API Call
6182.  
6183. API Name: CryptAcquireContextW Address: 0x00424844
6184. Params: [NULL, Intel Hardware Cryptographic Service Provider, 22, 0]
6185. Imagepath: C:\Documents and Settings\admin\Local Settings\Temp\factura.exe DLL Name: advapi32.dll
6186. 3728
6187. API Call
6188.  
6189. API Name: GetDesktopWindow Address: 0x0041e281
6190. Imagepath: C:\Documents and Settings\admin\Local Settings\Temp\factura.exe DLL Name: user32.dll
6191. 3728
6192. API Call
6193.  
6194. API Name: Process32First Address: 0x00424bf3
6195. Params: [0x84, 0xf3f7d0]
6196. Imagepath: C:\Documents and Settings\admin\Local Settings\Temp\factura.exe DLL Name: kernel32.dll
6197. 3728
6198. Malicious Alert
6199. Generic Anomalous Activity
6200.  
6201. Message: Enumerating running processes
6202.  
6203. API Call
6204.  
6205. API Name: Sleep Address: 0x0040de21
6206. Params: [100]
6207. Imagepath: C:\Documents and Settings\admin\Local Settings\Temp\factura.exe DLL Name: kernel32.dll
6208. 3728
6209. API Call
6210.  
6211. API Name: CryptAcquireContextA Address: 0x0050087e
6212. Params: [NULL, NULL, 1, 4026531840]
6213. Imagepath: C:\Documents and Settings\admin\Local Settings\Temp\factura.exe DLL Name: advapi32.dll
6214. 3728
6215. API Call
6216.  
6217. API Name: CryptAcquireContextW Address: 0x004247f1
6218. Params: [NULL, NULL, 1, 4026531840]
6219. Imagepath: C:\Documents and Settings\admin\Local Settings\Temp\factura.exe DLL Name: advapi32.dll
6220. 3728
6221. API Call
6222.  
6223. API Name: CryptAcquireContextW Address: 0x00424844
6224. Params: [NULL, Intel Hardware Cryptographic Service Provider, 22, 0]
6225. Imagepath: C:\Documents and Settings\admin\Local Settings\Temp\factura.exe DLL Name: advapi32.dll
6226. 3728
6227. API Call
6228.  
6229. API Name: GetDesktopWindow Address: 0x0041e281
6230. Imagepath: C:\Documents and Settings\admin\Local Settings\Temp\factura.exe DLL Name: user32.dll
6231. 3728
6232. API Call
6233.  
6234. API Name: Process32First Address: 0x00424bf3
6235. Params: [0x98, 0xf3f748]
6236. Imagepath: C:\Documents and Settings\admin\Local Settings\Temp\factura.exe DLL Name: kernel32.dll
6237. 3728
6238. API Call
6239.  
6240. API Name: Sleep Address: 0x0040de21
6241. Params: [100]
6242. Imagepath: C:\Documents and Settings\admin\Local Settings\Temp\factura.exe DLL Name: kernel32.dll
6243. 3728
6244. API Call
6245.  
6246. API Name: GetSystemDirectoryA Address: 0x74723c7f
6247. Params: [0xf3e6ac, 261]
6248. Imagepath: C:\Documents and Settings\admin\Local Settings\Temp\factura.exe DLL Name: kernel32.dll
6249. 3728
6250. API Call
6251.  
6252. API Name: GetSystemDirectoryA Address: 0x74723c7f
6253. Params: [0xf3e6b4, 261]
6254. Imagepath: C:\Documents and Settings\admin\Local Settings\Temp\factura.exe DLL Name: kernel32.dll
6255. 3728
6256. API Call
6257.  
6258. API Name: GetSystemDirectoryA Address: 0x74723c7f
6259. Params: [0xf3e600, 261]
6260. Imagepath: C:\Documents and Settings\admin\Local Settings\Temp\factura.exe DLL Name: kernel32.dll
6261. 3728
6262. API Call
6263.  
6264. API Name: SetWindowsHookExA Address: 0x7473097c
6265. Params: [2, 0x747307c3, 0x74720000, 3740]
6266. Imagepath: C:\Documents and Settings\admin\Local Settings\Temp\factura.exe DLL Name: user32.dll
6267. 3728
6268. API Call
6269.  
6270. API Name: SetWindowsHookExA Address: 0x7473099a
6271. Params: [7, 0x747304cd, 0x74720000, 3740]
6272. Imagepath: C:\Documents and Settings\admin\Local Settings\Temp\factura.exe DLL Name: user32.dll
6273. 3728
6274. Mutex
6275.  
6276. \BaseNamedObjects\CTF.LBES.MutexDefaultS-1-5-21-1409082233-688789844-725345543-1003
6277. 3728
6278. Mutex
6279.  
6280. \BaseNamedObjects\CTF.Compart.MutexDefaultS-1-5-21-1409082233-688789844-725345543-1003
6281. 3728
6282. Mutex
6283.  
6284. \BaseNamedObjects\CTF.Asm.MutexDefaultS-1-5-21-1409082233-688789844-725345543-1003
6285. 3728
6286. Mutex
6287.  
6288. \BaseNamedObjects\CTF.Layouts.MutexDefaultS-1-5-21-1409082233-688789844-725345543-1003
6289. 3728
6290. Mutex
6291.  
6292. \BaseNamedObjects\CTF.TMD.MutexDefaultS-1-5-21-1409082233-688789844-725345543-1003
6293. 3728
6294. Mutex
6295.  
6296. \BaseNamedObjects\CTF.TimListCache.FMPDefaultS-1-5-21-1409082233-688789844-725345543-1003MUTEX.Defau
6297. ltS-1-5-21-1409082233-688789844-725345543-1003
6298. 3728
6299. File
6300. Failed
6301.  
6302. C:\DOCUME~1\admin\LOCALS~1\Temp\SETUPAPI.dll
6303. 3728
6304. API Call
6305.  
6306. API Name: GetSystemDirectoryW Address: 0x77927324
6307. Params: [0xf3e914, 260]
6308. Imagepath: C:\Documents and Settings\admin\Local Settings\Temp\factura.exe DLL Name: kernel32.dll
6309. 3728
6310. API Call
6311.  
6312. API Name: GetComputerNameExW Address: 0x77927048
6313. Params: [0, 0xf3e948, 0xf3e944]
6314. Imagepath: C:\Documents and Settings\admin\Local Settings\Temp\factura.exe DLL Name: kernel32.dll
6315. 3728
6316. API Call
6317.  
6318. API Name: GetComputerNameExW Address: 0x779270ab
6319. Params: [3, 0xf3e948, 0xf3e944]
6320. Imagepath: C:\Documents and Settings\admin\Local Settings\Temp\factura.exe DLL Name: kernel32.dll
6321. 3728
6322. Regkey
6323. Queryvalue
6324.  
6325. \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\ComputerName\ActiveComputerName\"ComputerName"
6326. 3728
6327. API Call
6328.  
6329. API Name: GetVolumeNameForVolumeMountPointW Address: 0x7ca3f17e
6330. Params: [NULL, \\?\Volume{e319f02c-31a9-11e1-9a3f-806d6172696f}\]
6331. Imagepath: C:\Documents and Settings\admin\Local Settings\Temp\factura.exe DLL Name: kernel32.dll
6332. 3728
6333. API Call
6334.  
6335. API Name: GetVolumeNameForVolumeMountPointW Address: 0x7ca3f17e
6336. Params: [NULL, \\?\Volume{e319f02e-31a9-11e1-9a3f-806d6172696f}\]
6337. Imagepath: C:\Documents and Settings\admin\Local Settings\Temp\factura.exe DLL Name: kernel32.dll
6338. 3728
6339. API Call
6340.  
6341. API Name: Sleep Address: 0x0040de21
6342. Params: [100]
6343. Imagepath: C:\Documents and Settings\admin\Local Settings\Temp\factura.exe DLL Name: kernel32.dll
6344. 3728
6345. Regkey
6346. Setval
6347.  
6348. \REGISTRY\USER\S-1-5-21-1409082233-688789844-725345543-1003\Software\Microsoft\Windows\CurrentVersio
6349. n\Explorer\MountPoints2\{e319f02e-31a9-11e1-9a3f-806d6172696f}\"BaseClass" = Drive
6350. 3728
6351. Regkey
6352. Setval
6353.  
6354. \REGISTRY\USER\S-1-5-21-1409082233-688789844-725345543-1003\Software\Microsoft\Windows\CurrentVersio
6355. n\Explorer\MountPoints2\{e319f02c-31a9-11e1-9a3f-806d6172696f}\"BaseClass" = Drive
6356. 3728
6357. File
6358. Failed
6359.  
6360. C:\Documents and Settings\admin\Application Data\tor
6361. 3728
6362. 4 Repeated items skipped
6363. API Call
6364.  
6365. API Name: Sleep Address: 0x0040de21
6366. Params: [100]
6367. Imagepath: C:\Documents and Settings\admin\Local Settings\Temp\factura.exe DLL Name: kernel32.dll
6368. 3728
6369. API Call
6370.  
6371. API Name: Sleep Address: 0x0040de21
6372. Params: [100]
6373. Imagepath: C:\Documents and Settings\admin\Local Settings\Temp\factura.exe DLL Name: kernel32.dll
6374. 3728
6375. 12 Repeated items skipped
6376. File
6377. Failed
6378.  
6379. C:\DOCUME~1\admin\LOCALS~1\Temp\hnetcfg.dll
6380. 3728
6381. API Call
6382.  
6383. API Name: Sleep Address: 0x0040de21
6384. Params: [100]
6385. Imagepath: C:\Documents and Settings\admin\Local Settings\Temp\factura.exe DLL Name: kernel32.dll
6386. 3728
6387. Network
6388. Listen
6389.  
6390. Protocol Type: tcp Listen Port: 1064 IP Address: 127.0.0.1:1064
6391. Imagepath: c:\Documents and Settings\admin\Local Settings\Temp\factura.exe
6392. 3728
6393. Malicious Alert
6394. Network Activity
6395.  
6396. Message: TCP listen port opened
6397.  
6398. API Call
6399.  
6400. API Name: Sleep Address: 0x0040de21
6401. Imagepath: C:\Documents and Settings\admin\Local Settings\Temp\factura.exe DLL Name: kernel32.dll
6402. 3728
6403. Network
6404. Connect
6405.  
6406. Protocol Type: tcp Destination Port: 1064 IP Address: 127.0.0.1
6407. Imagepath: c:\Documents and Settings\admin\Local Settings\Temp\factura.exe
6408. 3728
6409. Malicious Alert
6410. Network Activity
6411.  
6412. Message: Network outbound communication attempted
6413.  
6414. Network
6415. Listen
6416.  
6417. Protocol Type: tcp Listen Port: 56217 IP Address: 127.0.0.1:56217
6418. Imagepath: c:\Documents and Settings\admin\Local Settings\Temp\factura.exe
6419. 3728
6420. File
6421. Created
6422.  
6423. C:\Documents and Settings\admin\Local Settings\Temp\6893A5D897\lock
6424. 3728
6425. File
6426. Created
6427.  
6428. C:\Documents and Settings\admin\Local Settings\Temp\6893A5D897\state.tmp
6429. 3728
6430. File
6431. Close
6432.  
6433. C:\Documents and Settings\admin\Local Settings\Temp\6893A5D897\state.tmp
6434. MD5: b3e3e0dc8df66c9af4da25f37df632f0
6435. SHA1: 1b8d598b4efe61cbc429502392514955c5d31eab
6436. 3728 199
6437. File
6438. Rename
6439.  
6440. Old Name: C:\Documents and Settings\admin\Local Settings\Temp\6893A5D897\state.tmp
6441. New Name: C:\Documents and Settings\admin\Local Settings\Temp\6893A5D897\state
6442. Imagepath: C:\Documents and Settings\admin\Local Settings\Temp\factura.exe
6443. MD5: b3e3e0dc8df66c9af4da25f37df632f0
6444. SHA1: 1b8d598b4efe61cbc429502392514955c5d31eab
6445. 3728 199
6446. File
6447. Failed
6448.  
6449. C:\DOCUME~1\admin\LOCALS~1\Temp\6893A5~1\router-stability
6450. 3728
6451. File
6452. Failed
6453.  
6454. C:\Documents and Settings\admin\Application Data\TOR\GEOIP
6455. 3728
6456. File
6457. Failed
6458.  
6459. C:\Documents and Settings\admin\Application Data\TOR\GEOIP6
6460. 3728
6461. File
6462. Failed
6463.  
6464. C:\DOCUME~1\admin\LOCALS~1\Temp\6893A5~1\cached-certs
6465. 3728
6466. File
6467. Failed
6468.  
6469. C:\DOCUME~1\admin\LOCALS~1\Temp\6893A5~1\cached-consensus
6470. 3728
6471. File
6472. Failed
6473.  
6474. C:\DOCUME~1\admin\LOCALS~1\Temp\6893A5~1\unverified-consensus
6475. 3728
6476. File
6477. Failed
6478.  
6479. C:\DOCUME~1\admin\LOCALS~1\Temp\6893A5~1\cached-microdesc-consensus
6480. 3728
6481. File
6482. Failed
6483.  
6484. C:\DOCUME~1\admin\LOCALS~1\Temp\6893A5~1\unverified-microdesc-consensus
6485. 3728
6486. File
6487. Failed
6488.  
6489. C:\DOCUME~1\admin\LOCALS~1\Temp\6893A5~1\cached-microdescs
6490. 3728
6491. File
6492. Failed
6493.  
6494. C:\DOCUME~1\admin\LOCALS~1\Temp\6893A5~1\cached-microdescs.new
6495. 3728
6496. File
6497. Failed
6498.  
6499. C:\DOCUME~1\admin\LOCALS~1\Temp\6893A5~1\cached-descriptors
6500. 3728
6501. File
6502. Failed
6503.  
6504. C:\DOCUME~1\admin\LOCALS~1\Temp\6893A5~1\cached-extrainfo
6505. 3728
6506. API Call
6507.  
6508. API Name: Sleep Address: 0x0040de21
6509. Imagepath: C:\Documents and Settings\admin\Local Settings\Temp\factura.exe DLL Name: kernel32.dll
6510. 3728
6511. API Call
6512.  
6513. API Name: Sleep Address: 0x0040de21
6514. Imagepath: C:\Documents and Settings\admin\Local Settings\Temp\factura.exe DLL Name: kernel32.dll
6515. 3728
6516. API Call
6517.  
6518. API Name: Sleep Address: 0x0040de21
6519. Imagepath: C:\Documents and Settings\admin\Local Settings\Temp\factura.exe DLL Name: kernel32.dll
6520. 3728
6521. API Call
6522.  
6523. API Name: GetSystemDirectoryA Address: 0x004f8683
6524. Params: [0xf3f924, 260]
6525. Imagepath: C:\Documents and Settings\admin\Local Settings\Temp\factura.exe DLL Name: kernel32.dll
6526. 3728
6527. File
6528. Failed
6529.  
6530. C:\DOCUME~1\admin\LOCALS~1\Temp\netman.dll
6531. 3728
6532. File
6533. Failed
6534.  
6535. C:\DOCUME~1\admin\LOCALS~1\Temp\MPRAPI.dll
6536. 3728
6537. File
6538. Failed
6539.  
6540. C:\DOCUME~1\admin\LOCALS~1\Temp\ACTIVEDS.dll
6541. 3728
6542. File
6543. Failed
6544.  
6545. C:\DOCUME~1\admin\LOCALS~1\Temp\adsldpc.dll
6546. 3728
6547. File
6548. Failed
6549.  
6550. C:\DOCUME~1\admin\LOCALS~1\Temp\ATL.DLL
6551. 3728
6552. File
6553. Failed
6554.  
6555. C:\DOCUME~1\admin\LOCALS~1\Temp\rtutils.dll
6556. 3728
6557. File
6558. Failed
6559.  
6560. C:\DOCUME~1\admin\LOCALS~1\Temp\SAMLIB.dll
6561. 3728
6562. File
6563. Failed
6564.  
6565. C:\DOCUME~1\admin\LOCALS~1\Temp\netshell.dll
6566. 3728
6567. File
6568. Failed
6569.  
6570. C:\DOCUME~1\admin\LOCALS~1\Temp\credui.dll
6571. 3728
6572. API Call
6573.  
6574. API Name: Sleep Address: 0x0040de21
6575. Imagepath: C:\Documents and Settings\admin\Local Settings\Temp\factura.exe DLL Name: kernel32.dll
6576. 3728
6577. File
6578. Failed
6579.  
6580. C:\DOCUME~1\admin\LOCALS~1\Temp\dot3api.dll
6581. 3728
6582. File
6583. Failed
6584.  
6585. C:\DOCUME~1\admin\LOCALS~1\Temp\dot3dlg.dll
6586. 3728
6587. File
6588. Failed
6589.  
6590. C:\DOCUME~1\admin\LOCALS~1\Temp\OneX.DLL
6591. 3728
6592. File
6593. Failed
6594.  
6595. C:\DOCUME~1\admin\LOCALS~1\Temp\WTSAPI32.dll
6596. 3728
6597. File
6598. Failed
6599.  
6600. C:\DOCUME~1\admin\LOCALS~1\Temp\WINSTA.dll
6601. 3728
6602. File
6603. Failed
6604.  
6605. C:\DOCUME~1\admin\LOCALS~1\Temp\CRYPT32.dll
6606. 3728
6607. File
6608. Failed
6609.  
6610. C:\DOCUME~1\admin\LOCALS~1\Temp\MSASN1.dll
6611. 3728
6612. File
6613. Failed
6614.  
6615. C:\DOCUME~1\admin\LOCALS~1\Temp\eappcfg.dll
6616. 3728
6617. File
6618. Failed
6619.  
6620. C:\DOCUME~1\admin\LOCALS~1\Temp\MSVCP60.dll
6621. 3728
6622. File
6623. Failed
6624.  
6625. C:\DOCUME~1\admin\LOCALS~1\Temp\eappprxy.dll
6626. 3728
6627. File
6628. Failed
6629.  
6630. C:\DOCUME~1\admin\LOCALS~1\Temp\RASAPI32.dll
6631. 3728
6632. File
6633. Failed
6634.  
6635. C:\DOCUME~1\admin\LOCALS~1\Temp\rasman.dll
6636. 3728
6637. File
6638. Failed
6639.  
6640. C:\DOCUME~1\admin\LOCALS~1\Temp\TAPI32.dll
6641. 3728
6642. File
6643. Failed
6644.  
6645. C:\DOCUME~1\admin\LOCALS~1\Temp\WINMM.dll
6646. 3728
6647. File
6648. Failed
6649.  
6650. C:\DOCUME~1\admin\LOCALS~1\Temp\WZCSAPI.DLL
6651. 3728
6652. File
6653. Failed
6654.  
6655. C:\DOCUME~1\admin\LOCALS~1\Temp\WZCSvc.DLL
6656. 3728
6657. File
6658. Failed
6659.  
6660. C:\DOCUME~1\admin\LOCALS~1\Temp\WMI.dll
6661. 3728
6662. File
6663. Failed
6664.  
6665. C:\DOCUME~1\admin\LOCALS~1\Temp\DHCPCSVC.DLL
6666. 3728
6667. File
6668. Failed
6669.  
6670. C:\DOCUME~1\admin\LOCALS~1\Temp\DNSAPI.dll
6671. 3728
6672. File
6673. Failed
6674.  
6675. C:\DOCUME~1\admin\LOCALS~1\Temp\EapolQec.dll
6676. 3728
6677. File
6678. Failed
6679.  
6680. C:\DOCUME~1\admin\LOCALS~1\Temp\QUtil.dll
6681. 3728
6682. File
6683. Failed
6684.  
6685. C:\DOCUME~1\admin\LOCALS~1\Temp\ESENT.dll
6686. 3728
6687. Regkey
6688. Added
6689.  
6690. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing
6691. 3728
6692. Regkey
6693. Added
6694.  
6695. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg
6696. 3728
6697. Regkey
6698. Setval
6699.  
6700. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\"LogSession
6701. Name" = stdout
6702. 3728
6703. Regkey
6704. Setval
6705.  
6706. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\"Active" =
6707. 0x00000001
6708. 3728
6709. Regkey
6710. Setval
6711.  
6712. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\"ControlFla
6713. gs" = 0x00000001
6714. 3728
6715. Regkey
6716. Added
6717.  
6718. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdenti
6719. fier
6720. 3728
6721. Regkey
6722. Setval
6723.  
6724. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdenti
6725. fier\"Guid" = 5f31090b-d990-4e91-b16d-46121d0255aa
6726. 3728
6727. Regkey
6728. Setval
6729.  
6730. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdenti
6731. fier\"BitNames" = Error Unusual Info Debug
6732. 3728
6733. Process
6734. Duplicate Opened
6735.  
6736. Source: C:\Documents and Settings\admin\Local Settings\Temp\factura.exe
6737. Target: C:\Documents and Settings\admin\Local Settings\Temp\factura.exe
6738.  
6739. 3728
6740. 3728
6741. 3728
6742. 3728
6743.  
6744. Regkey
6745. Setval
6746.  
6747. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\"LogSessio
6748. nName" = stdout
6749. 3728
6750. Regkey
6751. Setval
6752.  
6753. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\"Active" =
6754. 0x00000001
6755. 3728
6756. Regkey
6757. Setval
6758.  
6759. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\"ControlFl
6760. ags" = 0x00000001
6761. 3728
6762. Regkey
6763. Setval
6764.  
6765. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdent
6766. ifier\"Guid" = 5f31090b-d990-4e91-b16d-46121d0255aa
6767. 3728
6768. Regkey
6769. Setval
6770.  
6771. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdent
6772. ifier\"BitNames" = Error Unusual Info Debug
6773. 3728
6774. API Call
6775.  
6776. API Name: Sleep Address: 0x0040de21
6777. Imagepath: C:\Documents and Settings\admin\Local Settings\Temp\factura.exe DLL Name: kernel32.dll
6778. 3728
6779. API Call
6780.  
6781. API Name: GetSystemTime Address: 0x63004857
6782. Params: [0xf3e9c8]
6783. Imagepath: C:\Documents and Settings\admin\Local Settings\Temp\factura.exe DLL Name: kernel32.dll
6784. 3728
6785. API Call
6786.  
6787. API Name: SystemTimeToFileTime Address: 0x63004862
6788. Params: [0xf3e9c8, 0x630b19f8]
6789. Imagepath: C:\Documents and Settings\admin\Local Settings\Temp\factura.exe DLL Name: kernel32.dll
6790. 3728
6791. Regkey
6792. Added
6793.  
6794. \REGISTRY\USER\S-1-5-21-1409082233-688789844-725345543-1003\SOFTWARE\Microsoft\Windows\CurrentVersio
6795. n\Internet Settings
6796. 3728
6797. Regkey
6798. Added
6799.  
6800. \REGISTRY\MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters
6801. 3728
6802. Regkey
6803. Added
6804.  
6805. \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters
6806. 3728
6807. Regkey
6808. Added
6809.  
6810. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing
6811. 3728
6812. Regkey
6813. Added
6814.  
6815. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil
6816. 3728
6817. Regkey
6818. Setval
6819.  
6820. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\"LogSessionNa
6821. me" = stdout
6822. 3728
6823. Regkey
6824. Setval
6825.  
6826. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\"Active" = 0x
6827. 00000001
6828. 3728
6829. Regkey
6830. Setval
6831.  
6832. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\"ControlFlags
6833. " = 0x00000001
6834. 3728
6835. Regkey
6836. Added
6837.  
6838. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifi
6839. er
6840. 3728
6841. Regkey
6842. Setval
6843.  
6844. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifi
6845. er\"Guid" = 8aefce96-4618-42ff-a057-3536aa78233e
6846. 3728
6847. Regkey
6848. Setval
6849.  
6850. \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifi
6851. er\"BitNames" = Error Unusual Info Debug
6852. 3728
6853. Regkey
6854. Added
6855.  
6856. \REGISTRY\MACHINE\SOFTWARE\Microsoft\ESENT\Process\factura
6857. 3728
6858. Regkey
6859. Added
6860.  
6861. \REGISTRY\MACHINE\SOFTWARE\Microsoft\ESENT\Process\factura\DEBUG
6862. 3728
6863. Regkey
6864. Deleteval
6865.  
6866. \REGISTRY\MACHINE\SOFTWARE\Microsoft\ESENT\Process\factura\DEBUG\"Trace Level"
6867. 3728
6868. Regkey
6869. Setval
6870.  
6871. \REGISTRY\MACHINE\SOFTWARE\Microsoft\ESENT\Process\factura\DEBUG\"Trace Level" =
6872. 3728
6873. Regkey
6874. Setval
6875.  
6876. \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Eventlog\Application\ESENT\"EventMessageFile" = C:\W
6877. INDOWS\system32\ESENT.dll
6878. 3728
6879. Regkey
6880. Setval
6881.  
6882. \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Eventlog\Application\ESENT\"CategoryMessageFile" = C
6883. :\WINDOWS\system32\ESENT.dll
6884. 3728
6885. Regkey
6886. Setval
6887.  
6888. \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Eventlog\Application\ESENT\"CategoryCount" = 0x00000
6889. 010
6890. 3728
6891. Regkey
6892. Setval
6893.  
6894. \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Eventlog\Application\ESENT\"TypesSupported" = 0x0000
6895. 0007
6896. 3728
6897. Wmiquery
6898.  
6899. Imagepath: C:\WINDOWS\system32\wbem\wmiprvse.exe
6900. 3528
6901. API Call
6902.  
6903. API Name: GetSystemDirectoryA Address: 0x004f8683
6904. Params: [0xf3f924, 260]
6905. Imagepath: C:\Documents and Settings\admin\Local Settings\Temp\factura.exe DLL Name: kernel32.dll
6906. 3728
6907. API Call
6908.  
6909. API Name: Sleep Address: 0x0040de21
6910. Imagepath: C:\Documents and Settings\admin\Local Settings\Temp\factura.exe DLL Name: kernel32.dll
6911. 3728
6912. Network
6913. Connect
6914.  
6915. Protocol Type: tcp Destination Port: 9101 IP Address: 128.31.0.39
6916. Imagepath: c:\Documents and Settings\admin\Local Settings\Temp\factura.exe
6917. 3728
6918. API Call
6919.  
6920. API Name: Sleep Address: 0x0040de21
6921. Imagepath: C:\Documents and Settings\admin\Local Settings\Temp\factura.exe DLL Name: kernel32.dll
6922. 3728
6923. API Call
6924.  
6925. API Name: Sleep Address: 0x0040de21
6926. Imagepath: C:\Documents and Settings\admin\Local Settings\Temp\factura.exe DLL Name: kernel32.dll
6927. 3728
6928. ProcessTelemetryReport
6929.  
6930. Imagepath: C:\Documents and Settings\admin\Local Settings\Temp\factura.exe
6931. 3728
6932. 10 Repeated items skipped
6933. API Call
6934.  
6935. API Name: Sleep Address: 0x0040de21
6936. Imagepath: C:\Documents and Settings\admin\Local Settings\Temp\factura.exe DLL Name: kernel32.dll
6937. 3728
6938. 4 Repeated items skipped
6939. Malicious Alert
6940. High Repeated Sleep Calls
6941.  
6942. Message: High repeated sleep calls
6943.  
6944. API Call
6945.  
6946. API Name: Sleep Address: 0x0040de21
6947. Imagepath: C:\Documents and Settings\admin\Local Settings\Temp\factura.exe DLL Name: kernel32.dll
6948. 3728
6949. API Call
6950.  
6951. API Name: Sleep Address: 0x0040de21
6952. Imagepath: C:\Documents and Settings\admin\Local Settings\Temp\factura.exe DLL Name: kernel32.dll
6953. 3728
6954. 4 Repeated items skipped
6955. Regkey
6956. Setval
6957.  
6958. \REGISTRY\MACHINE\SOFTWARE\System32\Configuration\"xmode" = 751
6959. 3728
6960. Regkey
6961. Added
6962.  
6963. \REGISTRY\MACHINE\SOFTWARE\System32\Configuration\
6964. 3728
6965. Regkey
6966. Setval
6967.  
6968. \REGISTRY\MACHINE\SOFTWARE\System32\Configuration\"xpk" = -----BEGIN PUBLIC KEY-----.MIIBojANBgkqhki
6969. G9w0BAQEFAAOCAY8AMIIBigKCAYEAzXhnkH11n+xqxQcisQj5.OefrHjVnqNj+WJAhxscQ47lIoTW8X82MNpwTr6ZWwWHTNB0
6970. uoppja4vH34ZPFFow.5F/vnPoHa027gaWAZg7o1CIlUeMrKQvRSDYjW8HEHpO16qfsPDWqOIUCpI/oAgpY.XC5neQgNUgQccO
6971. 6edxoZipUSlLZ5H8c+/996RNOM0NZawLBOLoWAHtSDYLVHgt2z.vsn43Z+nQbTzJtjHn9rtwv7ppecgE3JHTYQ4qI3T0CtF6S
6972. sO82mDqk7UPG3kqMb2.O13/g2G7u6vCtB951pbvG9A6z//zD2zwhufn6o8LRURvOUdRQaQGIxgCWD8KsLLS.fiXIBiemeVuHb
6973. OzK6cgaBR8K0Lcy1nnXo4gNZdDSRkFDcVAh4bSl8GztPYUSvFMG.5m8weQyyuABQ30O/AKtCHZlJPF0Ouy
6974. 3728
6975. Regkey
6976. Added
6977.  
6978. \REGISTRY\MACHINE\SOFTWARE\System32\Configuration\
6979. 3728
6980. Regkey
6981. Setval
6982.  
6983. \REGISTRY\MACHINE\SOFTWARE\System32\Configuration\"xstate" = 3
6984. 3728
6985. Regkey
6986. Added
6987.  
6988. \REGISTRY\MACHINE\SOFTWARE\System32\Configuration\
6989. 3728
6990. Regkey
6991. Setval
6992.  
6993. \REGISTRY\MACHINE\SOFTWARE\System32\Configuration\"xcnt" = 0
6994. 3728
6995. Regkey
6996. Added
6997.  
6998. \REGISTRY\MACHINE\SOFTWARE\System32\Configuration\
6999. 3728
7000. Regkey
7001. Setval
7002.  
7003. \REGISTRY\MACHINE\SOFTWARE\System32\Configuration\"shst" = 2
7004. 3728
7005. API Call
7006.  
7007. API Name: GetSystemDirectoryW Address: 0x00413079
7008. Params: [0x12f200, 1024]
7009. Imagepath: C:\Documents and Settings\admin\Local Settings\Temp\factura.exe DLL Name: kernel32.dll
7010. 3728
7011. API Call
7012.  
7013. API Name: Sleep Address: 0x0040de21
7014. Imagepath: C:\Documents and Settings\admin\Local Settings\Temp\factura.exe DLL Name: kernel32.dll
7015. 3728
7016. API Call
7017.  
7018. API Name: Sleep Address: 0x0040de21
7019. Imagepath: C:\Documents and Settings\admin\Local Settings\Temp\factura.exe DLL Name: kernel32.dll
7020. 3728
7021. 8 Repeated items skipped
7022. File
7023. Created
7024.  
7025. C:\README1.txt
7026. 3728
7027. File
7028. Close
7029.  
7030. C:\README1.txt
7031. MD5: 0723ecdfbdfd4e83bba7f77a14756784
7032. SHA1: d1933d895316c42bf6aca612ec9e8c45ff0d0d1e
7033. 3728 2136
7034. API Call
7035.  
7036. API Name: Sleep Address: 0x0040de21
7037. Imagepath: C:\Documents and Settings\admin\Local Settings\Temp\factura.exe DLL Name: kernel32.dll
7038. 3728
7039. API Call
7040.  
7041. API Name: Sleep Address: 0x0040de21
7042. Imagepath: C:\Documents and Settings\admin\Local Settings\Temp\factura.exe DLL Name: kernel32.dll
7043. 3728
7044. 3 Repeated items skipped
7045. File
7046. Created
7047.  
7048. C:\README2.txt
7049. 3728
7050. File
7051. Close
7052.  
7053. C:\README2.txt
7054. MD5: 0723ecdfbdfd4e83bba7f77a14756784
7055. SHA1: d1933d895316c42bf6aca612ec9e8c45ff0d0d1e
7056. 3728 2136
7057. File
7058. Created
7059.  
7060. C:\README3.txt
7061. 3728
7062. File
7063. Close
7064.  
7065. C:\README3.txt
7066. MD5: 0723ecdfbdfd4e83bba7f77a14756784
7067. SHA1: d1933d895316c42bf6aca612ec9e8c45ff0d0d1e
7068. 3728 2136
7069. API Call
7070.  
7071. API Name: Sleep Address: 0x0040de21
7072. Imagepath: C:\Documents and Settings\admin\Local Settings\Temp\factura.exe DLL Name: kernel32.dll
7073. 3728
7074. File
7075. Created
7076.  
7077. C:\README4.txt
7078. 3728
7079. File
7080. Close
7081.  
7082. C:\README4.txt
7083. MD5: 0723ecdfbdfd4e83bba7f77a14756784
7084. SHA1: d1933d895316c42bf6aca612ec9e8c45ff0d0d1e
7085. 3728 2136
7086. File
7087. Created
7088.  
7089. C:\README5.txt
7090. 3728
7091. File
7092. Close
7093.  
7094. C:\README5.txt
7095. MD5: 0723ecdfbdfd4e83bba7f77a14756784
7096. SHA1: d1933d895316c42bf6aca612ec9e8c45ff0d0d1e
7097. 3728 2136
7098. API Call
7099.  
7100. API Name: Sleep Address: 0x0040de21
7101. Imagepath: C:\Documents and Settings\admin\Local Settings\Temp\factura.exe DLL Name: kernel32.dll
7102. 3728
7103. File
7104. Created
7105.  
7106. C:\README6.txt
7107. 3728
7108. File
7109. Close
7110.  
7111. C:\README6.txt
7112. MD5: 0723ecdfbdfd4e83bba7f77a14756784
7113. SHA1: d1933d895316c42bf6aca612ec9e8c45ff0d0d1e
7114. 3728 2136
7115. API Call
7116.  
7117. API Name: Sleep Address: 0x0040de21
7118. Imagepath: C:\Documents and Settings\admin\Local Settings\Temp\factura.exe DLL Name: kernel32.dll
7119. 3728
7120. File
7121. Created
7122.  
7123. C:\README7.txt
7124. 3728
7125. File
7126. Close
7127.  
7128. C:\README7.txt
7129. MD5: 0723ecdfbdfd4e83bba7f77a14756784
7130. SHA1: d1933d895316c42bf6aca612ec9e8c45ff0d0d1e
7131. 3728 2136
7132. File
7133. Created
7134.  
7135. C:\README8.txt
7136. 3728
7137. File
7138. Close
7139.  
7140. C:\README8.txt
7141. MD5: 0723ecdfbdfd4e83bba7f77a14756784
7142. SHA1: d1933d895316c42bf6aca612ec9e8c45ff0d0d1e
7143. 3728 2136
7144. API Call
7145.  
7146. API Name: Sleep Address: 0x0040de21
7147. Imagepath: C:\Documents and Settings\admin\Local Settings\Temp\factura.exe DLL Name: kernel32.dll
7148. 3728
7149. File
7150. Created
7151.  
7152. C:\README9.txt
7153. 3728
7154. File
7155. Close
7156.  
7157. C:\README9.txt
7158. MD5: 0723ecdfbdfd4e83bba7f77a14756784
7159. SHA1: d1933d895316c42bf6aca612ec9e8c45ff0d0d1e
7160. 3728 2136
7161. File
7162. Created
7163.  
7164. C:\README10.txt
7165. 3728
7166. File
7167. Close
7168.  
7169. C:\README10.txt
7170. MD5: 0723ecdfbdfd4e83bba7f77a14756784
7171. SHA1: d1933d895316c42bf6aca612ec9e8c45ff0d0d1e
7172. 3728 2136
7173. Regkey
7174. Added
7175.  
7176. \REGISTRY\MACHINE\SOFTWARE\System32\Configuration\
7177. 3728
7178. Regkey
7179. Setval
7180.  
7181. \REGISTRY\MACHINE\SOFTWARE\System32\Configuration\"xstate" = 4
7182. 3728
7183. API Call
7184.  
7185. API Name: Sleep Address: 0x0040de21
7186. Imagepath: C:\Documents and Settings\admin\Local Settings\Temp\factura.exe DLL Name: kernel32.dll
7187. 3728
7188. Regkey
7189. Added
7190.  
7191. \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
7192. 3728
7193. Regkey
7194. Added
7195.  
7196. \REGISTRY\USER\S-1-5-21-1409082233-688789844-725345543-1003\Software\Microsoft\Windows\CurrentVersio
7197. n\Explorer\User Shell Folders
7198. 3728
7199. API Call
7200.  
7201. API Name: Sleep Address: 0x0040de21
7202. Imagepath: C:\Documents and Settings\admin\Local Settings\Temp\factura.exe DLL Name: kernel32.dll
7203. 3728
7204. API Call
7205.  
7206. API Name: GetSystemDirectoryW Address: 0x00413079
7207. Params: [0x12ef40, 1024]
7208. Imagepath: C:\Documents and Settings\admin\Local Settings\Temp\factura.exe DLL Name: kernel32.dll
7209. 3728
7210. API Call
7211.  
7212. API Name: GetSystemDirectoryW Address: 0x00413079
7213. Params: [0x20ef570, 1024]
7214. Imagepath: C:\Documents and Settings\admin\Local Settings\Temp\factura.exe DLL Name: kernel32.dll
7215. 3728
7216. File
7217. Find
7218.  
7219. C:\*
7220. 3728
7221. API Call
7222.  
7223. API Name: Sleep Address: 0x0040de21
7224. Imagepath: C:\Documents and Settings\admin\Local Settings\Temp\factura.exe DLL Name: kernel32.dll
7225. 3728
7226. Regkey
7227. Added
7228.  
7229. \REGISTRY\MACHINE\SOFTWARE\System32\Configuration\
7230. 3728
7231. Regkey
7232. Setval
7233.  
7234. \REGISTRY\MACHINE\SOFTWARE\System32\Configuration\"xcnt" = 0
7235. 3728
7236. 7 Repeated items skipped
7237. API Call
7238.  
7239. API Name: Sleep Address: 0x0040de21
7240. Imagepath: C:\Documents and Settings\admin\Local Settings\Temp\factura.exe DLL Name: kernel32.dll
7241. 3728
7242. Regkey
7243. Added
7244.  
7245. \REGISTRY\MACHINE\SOFTWARE\System32\Configuration\
7246. 3728
7247. Regkey
7248. Setval
7249.  
7250. \REGISTRY\MACHINE\SOFTWARE\System32\Configuration\"xcnt" = 0
7251. 3728
7252. 23 Repeated items skipped
7253. API Call
7254.  
7255. API Name: Sleep Address: 0x0040de21
7256. Imagepath: C:\Documents and Settings\admin\Local Settings\Temp\factura.exe DLL Name: kernel32.dll
7257. 3728
7258. Regkey
7259. Added
7260.  
7261. \REGISTRY\MACHINE\SOFTWARE\System32\Configuration\
7262. 3728
7263. Regkey
7264. Setval
7265.  
7266. \REGISTRY\MACHINE\SOFTWARE\System32\Configuration\"xcnt" = 0
7267. 3728
7268. 11 Repeated items skipped
7269. File
7270. Failed
7271.  
7272. C:\System Volume Information
7273. 3728
7274. Regkey
7275. Added
7276.  
7277. \REGISTRY\MACHINE\SOFTWARE\System32\Configuration\
7278. 3728
7279. Regkey
7280. Setval
7281.  
7282. \REGISTRY\MACHINE\SOFTWARE\System32\Configuration\"xcnt" = 0
7283. 3728
7284. 65 Repeated items skipped
7285. File
7286. Find
7287.  
7288. C:\MSOCache\*
7289. 3728
7290. Regkey
7291. Added
7292.  
7293. \REGISTRY\MACHINE\SOFTWARE\System32\Configuration\
7294. 3728
7295. Regkey
7296. Setval
7297.  
7298. \REGISTRY\MACHINE\SOFTWARE\System32\Configuration\"xcnt" = 0
7299. 3728
7300. 23 Repeated items skipped
7301. File
7302. Find
7303.  
7304. C:\MSOCache\*\*
7305. 3728
7306. Regkey
7307. Added
7308.  
7309. \REGISTRY\MACHINE\SOFTWARE\System32\Configuration\
7310. 3728
7311. Regkey
7312. Setval
7313.  
7314. \REGISTRY\MACHINE\SOFTWARE\System32\Configuration\"xcnt" = 0
7315. 3728
7316. 81 Repeated items skipped
7317. File
7318. Open
7319.  
7320. C:\MSOCache\All Users\{90120000-0115-0409-0000-0000000FF1CE}-C\Setup.xml
7321. 3728 9952
7322. Regkey
7323. Added
7324.  
7325. \REGISTRY\MACHINE\SOFTWARE\System32\Configuration\
7326. 3728
7327. Regkey
7328. Setval
7329.  
7330. \REGISTRY\MACHINE\SOFTWARE\System32\Configuration\"xcnt" = 0
7331. 3728
7332. 13 Repeated items skipped
7333. File
7334. Close
7335.  
7336. C:\MSOCache\All Users\{90120000-0115-0409-0000-0000000FF1CE}-C\Setup.xml
7337. MD5: 9e188ff151ebb7c60f0d18c1e5f1400d
7338. SHA1: 3692667bfdeb85ead1958b5392498768172773c0
7339. 3728 10336
7340. Regkey
7341. Added
7342.  
7343. \REGISTRY\MACHINE\SOFTWARE\System32\Configuration\
7344. 3728
7345. Regkey
7346. Setval
7347.  
7348. \REGISTRY\MACHINE\SOFTWARE\System32\Configuration\"xcnt" = 0
7349. 3728
7350. 3 Repeated items skipped
7351. File
7352. Open
7353.  
7354. C:\MSOCache\All Users\{90120000-0115-0409-0000-0000000FF1CE}-C\Setup.xml
7355. MD5: 9e188ff151ebb7c60f0d18c1e5f1400d
7356. SHA1: 3692667bfdeb85ead1958b5392498768172773c0
7357. 3728 10336
7358. File
7359. Close
7360.  
7361. C:\MSOCache\All Users\{90120000-0115-0409-0000-0000000FF1CE}-C\Setup.xml
7362. MD5: 526d94208b86b05e22bce4cd6962ba33
7363. SHA1: 483427412bf5a08c91e450745d8e03a413cfb214
7364. 3728 10336
7365. Regkey
7366. Added
7367.  
7368. \REGISTRY\MACHINE\SOFTWARE\System32\Configuration\
7369. 3728
7370. Regkey
7371. Setval
7372.  
7373. \REGISTRY\MACHINE\SOFTWARE\System32\Configuration\"xcnt" = 0
7374. 3728
7375. 35 Repeated items skipped
7376. File
7377. Rename
7378.  
7379. Old Name: C:\MSOCache\All Users\{90120000-0115-0409-0000-0000000FF1CE}-C\Setup.xml
7380. New Name: C:\MSOCache\All Users\{90120000-0115-0409-0000-0000000FF1CE}-C\WeBlMTjJcwcvUDmf4eL5SL7kg+7nPVmiJog5J
7381. 37q6vg=.4F3773E1C2AF79622E62.no_more_ransom
7382. Imagepath: C:\Documents and Settings\admin\Local Settings\Temp\factura.exe
7383. MD5: 526d94208b86b05e22bce4cd6962ba33
7384. SHA1: 483427412bf5a08c91e450745d8e03a413cfb214
7385. 3728 10336
7386. Regkey
7387. Added
7388.  
7389. \REGISTRY\MACHINE\SOFTWARE\System32\Configuration\
7390. 3728
7391. Regkey
7392. Setval
7393.  
7394. \REGISTRY\MACHINE\SOFTWARE\System32\Configuration\"xcnt" = 0
7395. 3728
7396. 12 Repeated items skipped
7397. Regkey
7398. Setval
7399.  
7400. \REGISTRY\MACHINE\SOFTWARE\System32\Configuration\"xcnt" = 1
7401. 3728
7402. File
7403. Failed
7404.  
7405. C:\Documents and Settings\All Users\Application Data\System32
7406. 3728
7407. Folder
7408. Created
7409.  
7410. C:\Documents and Settings\All Users\Application Data\System32
7411. 3728
7412. Folder
7413. Hide
7414.  
7415. C:\Documents and Settings\All Users\Application Data\System32
7416. 3728
7417. File
7418. Failed
7419.  
7420. C:\Documents and Settings\All Users\Application Data\System32\xfs
7421. 3728
7422. File
7423. Open
7424.  
7425. C:\MSOCache\All Users\{90120000-0115-0409-0000-0000000FF1CE}-C\setup.chm
7426. 3728 52984
7427. File
7428. Created
7429.  
7430. C:\Documents and Settings\All Users\Application Data\System32\xfs
7431. 3728
7432. File
7433. Close
7434.  
7435. C:\Documents and Settings\All Users\Application Data\System32\xfs
7436. MD5: 39d6b4bdcfe73f17b9647dccb3861a23
7437. SHA1: 72dbf1c9f3865e02a1de5729ab99335aac74c190
7438. 3728 180
7439. File
7440. Hide
7441.  
7442. C:\Documents and Settings\All Users\Application Data\System32\xfs
7443. MD5: 39d6b4bdcfe73f17b9647dccb3861a23
7444. SHA1: 72dbf1c9f3865e02a1de5729ab99335aac74c190
7445. 3728 180
7446. Regkey
7447. Setval
7448.  
7449. \REGISTRY\MACHINE\SOFTWARE\System32\Configuration\"xcnt" = 1
7450. 3728
7451. 2 Repeated items skipped
7452. File
7453. Close
7454.  
7455. C:\MSOCache\All Users\{90120000-0115-0409-0000-0000000FF1CE}-C\setup.chm
7456. MD5: 5f3c50cf290ff62bdb66df5c89c0c18d
7457. SHA1: 11a0f6e7fff411f122496f15131f568c68ba708e
7458. 3728 53368
7459. Regkey
7460. Setval
7461.  
7462. \REGISTRY\MACHINE\SOFTWARE\System32\Configuration\"xcnt" = 1
7463. 3728
7464. 4 Repeated items skipped
7465. File
7466. Open
7467.  
7468. C:\MSOCache\All Users\{90120000-0115-0409-0000-0000000FF1CE}-C\setup.chm
7469. MD5: 5f3c50cf290ff62bdb66df5c89c0c18d
7470. SHA1: 11a0f6e7fff411f122496f15131f568c68ba708e
7471. 3728 53368
7472. File
7473. Close
7474.  
7475. C:\MSOCache\All Users\{90120000-0115-0409-0000-0000000FF1CE}-C\setup.chm
7476. MD5: 5bdd0fcc46d6876979a94c62b6984d64
7477. SHA1: 254eb3d2842f8f54d092eee34a695f0f05991815
7478. 3728 53376
7479. Regkey
7480. Setval
7481.  
7482. \REGISTRY\MACHINE\SOFTWARE\System32\Configuration\"xcnt" = 1
7483. 3728
7484. 5 Repeated items skipped
7485. API Call
7486.  
7487. API Name: Sleep Address: 0x0040de21
7488. Imagepath: C:\Documents and Settings\admin\Local Settings\Temp\factura.exe DLL Name: kernel32.dll
7489. 3728
7490. Regkey
7491. Setval
7492.  
7493. \REGISTRY\MACHINE\SOFTWARE\System32\Configuration\"xcnt" = 1
7494. 3728
7495. File
7496. Rename
7497.  
7498. Old Name: C:\MSOCache\All Users\{90120000-0115-0409-0000-0000000FF1CE}-C\setup.chm
7499. New Name: C:\MSOCache\All Users\{90120000-0115-0409-0000-0000000FF1CE}-C\nNw-Xv39McNTXd2F5L-HbUFAg2vFYTJDS+mgG
7500. 77zIuo=.4F3773E1C2AF79622E62.no_more_ransom
7501. Imagepath: C:\Documents and Settings\admin\Local Settings\Temp\factura.exe
7502. MD5: 5bdd0fcc46d6876979a94c62b6984d64
7503. SHA1: 254eb3d2842f8f54d092eee34a695f0f05991815
7504. 3728 53376
7505. Regkey
7506. Setval
7507.  
7508. \REGISTRY\MACHINE\SOFTWARE\System32\Configuration\"xcnt" = 2
7509. 3728
7510. File
7511. Open
7512.  
7513. C:\MSOCache\All Users\{90120000-0115-0409-0000-0000000FF1CE}-C\pss10r.chm
7514. 3728 27084
7515. File
7516. Close
7517.  
7518. C:\MSOCache\All Users\{90120000-0115-0409-0000-0000000FF1CE}-C\pss10r.chm
7519. MD5: a49331f89a2bf3e827bc17611cd957bf
7520. SHA1: c51115ce29cff90778d52596de2da5843cb7cf5e
7521. 3728 27468
7522. File
7523. Open
7524.  
7525. C:\Documents and Settings\All Users\Application Data\System32\xfs
7526. MD5: 39d6b4bdcfe73f17b9647dccb3861a23
7527. SHA1: 72dbf1c9f3865e02a1de5729ab99335aac74c190
7528. 3728 180
7529. File
7530. Close
7531.  
7532. C:\Documents and Settings\All Users\Application Data\System32\xfs
7533. MD5: 49bec89058fd36507cb17d359fed9845
7534. SHA1: 40c65ebe1a8477a7624e257b2def09c37ca464ea
7535. 3728 362
7536. File
7537. Open
7538.  
7539. C:\MSOCache\All Users\{90120000-0115-0409-0000-0000000FF1CE}-C\pss10r.chm
7540. MD5: a49331f89a2bf3e827bc17611cd957bf
7541. SHA1: c51115ce29cff90778d52596de2da5843cb7cf5e
7542. 3728 27468
7543. File
7544. Close
7545.  
7546. C:\MSOCache\All Users\{90120000-0115-0409-0000-0000000FF1CE}-C\pss10r.chm
7547. MD5: 4169825d4e126c52cc987adcc282f99c
7548. SHA1: 385ed662bfde2035fc1f9b3651176abf30728505
7549. 3728 27472
7550. File
7551. Hide
7552.  
7553. C:\Documents and Settings\All Users\Application Data\System32\xfs
7554. MD5: 49bec89058fd36507cb17d359fed9845
7555. SHA1: 40c65ebe1a8477a7624e257b2def09c37ca464ea
7556. 3728 362
7557. Regkey
7558. Setval
7559.  
7560. \REGISTRY\MACHINE\SOFTWARE\System32\Configuration\"xcnt" = 2
7561. 3728
7562. 4 Repeated items skipped
7563. File
7564. Rename
7565.  
7566. Old Name: C:\MSOCache\All Users\{90120000-0115-0409-0000-0000000FF1CE}-C\pss10r.chm
7567. New Name: C:\MSOCache\All Users\{90120000-0115-0409-0000-0000000FF1CE}-C\eA5Rrbs1zCmjnnhk0QYg1H353H4W3oXrwqWdW
7568. -dAmhI=.4F3773E1C2AF79622E62.no_more_ransom
7569. Imagepath: C:\Documents and Settings\admin\Local Settings\Temp\factura.exe
7570. MD5: 4169825d4e126c52cc987adcc282f99c
7571. SHA1: 385ed662bfde2035fc1f9b3651176abf30728505
7572. 3728 27472
7573. Regkey
7574. Setval
7575.  
7576. \REGISTRY\MACHINE\SOFTWARE\System32\Configuration\"xcnt" = 3
7577. 3728
7578. File
7579. Open
7580.  
7581. C:\MSOCache\All Users\{90120000-0115-0409-0000-0000000FF1CE}-C\OfficeMUISet.xml
7582. 3728 821
7583. File
7584. Open
7585.  
7586. C:\Documents and Settings\All Users\Application Data\System32\xfs
7587. MD5: 49bec89058fd36507cb17d359fed9845
7588. SHA1: 40c65ebe1a8477a7624e257b2def09c37ca464ea
7589. 3728 362
7590. File
7591. Close
7592.  
7593. C:\Documents and Settings\All Users\Application Data\System32\xfs
7594. MD5: 4dd0c83846ce516c8aff8a850b94063c
7595. SHA1: 1d271a435269bd1fb2573c8038ce9d0d0f81667b
7596. 3728 546
7597. File
7598. Close
7599.  
7600. C:\MSOCache\All Users\{90120000-0115-0409-0000-0000000FF1CE}-C\OfficeMUISet.xml
7601. MD5: da67a12f5df2eb9d0812f401a25463c3
7602. SHA1: 600998178a96ef8704427403906f58ff77c45a4a
7603. 3728 1205
7604. File
7605. Hide
7606.  
7607. C:\Documents and Settings\All Users\Application Data\System32\xfs
7608. MD5: 4dd0c83846ce516c8aff8a850b94063c
7609. SHA1: 1d271a435269bd1fb2573c8038ce9d0d0f81667b
7610. 3728 546
7611. Regkey
7612. Setval
7613.  
7614. \REGISTRY\MACHINE\SOFTWARE\System32\Configuration\"xcnt" = 3
7615. 3728
7616. 3 Repeated items skipped
7617. File
7618. Open
7619.  
7620. C:\MSOCache\All Users\{90120000-0115-0409-0000-0000000FF1CE}-C\OfficeMUISet.xml
7621. MD5: da67a12f5df2eb9d0812f401a25463c3
7622. SHA1: 600998178a96ef8704427403906f58ff77c45a4a
7623. 3728 1205
7624. File
7625. Close
7626.  
7627. C:\MSOCache\All Users\{90120000-0115-0409-0000-0000000FF1CE}-C\OfficeMUISet.xml
7628. MD5: 140d643b8e67c3bb53aa07fb5e066ae2
7629. SHA1: 6b09b2cc0fa68338211b68313f6cb3dff0b21d47
7630. 3728 1216
7631. Regkey
7632. Setval
7633.  
7634. \REGISTRY\MACHINE\SOFTWARE\System32\Configuration\"xcnt" = 3
7635. 3728
7636. 6 Repeated items skipped
7637. File
7638. Rename
7639.  
7640. Old Name: C:\MSOCache\All Users\{90120000-0115-0409-0000-0000000FF1CE}-C\OfficeMUISet.xml
7641. New Name: C:\MSOCache\All Users\{90120000-0115-0409-0000-0000000FF1CE}-C\EDtCuwa46RBI+UnHpL973M85wamzyPI9WOlBL
7642. 1x-W-E=.4F3773E1C2AF79622E62.no_more_ransom
7643. Imagepath: C:\Documents and Settings\admin\Local Settings\Temp\factura.exe
7644. MD5: 140d643b8e67c3bb53aa07fb5e066ae2
7645. SHA1: 6b09b2cc0fa68338211b68313f6cb3dff0b21d47
7646. 3728 1216
7647. Regkey
7648. Setval
7649.  
7650. \REGISTRY\MACHINE\SOFTWARE\System32\Configuration\"xcnt" = 4
7651. 3728
7652. File
7653. Open
7654.  
7655. C:\MSOCache\All Users\{90120000-0115-0409-0000-0000000FF1CE}-C\OfficeMUI.xml
7656. 3728 6003
7657. File
7658. Close
7659.  
7660. C:\MSOCache\All Users\{90120000-0115-0409-0000-0000000FF1CE}-C\OfficeMUI.xml
7661. MD5: 070b01fbe9f691c002dfb729c9770823
7662. SHA1: ba0f854e5ec4810ef4cab70365219a4449090039
7663. 3728 6387
7664. File
7665. Open
7666.  
7667. C:\Documents and Settings\All Users\Application Data\System32\xfs
7668. MD5: 4dd0c83846ce516c8aff8a850b94063c
7669. SHA1: 1d271a435269bd1fb2573c8038ce9d0d0f81667b
7670. 3728 546
7671. File
7672. Close
7673.  
7674. C:\Documents and Settings\All Users\Application Data\System32\xfs
7675. MD5: 29d6881402caf7e553b5335a2d9bb161
7676. SHA1: a544250d8725b1263d0f11b5a5f0346b9a8035b8
7677. 3728 742
7678. File
7679. Open
7680.  
7681. C:\MSOCache\All Users\{90120000-0115-0409-0000-0000000FF1CE}-C\OfficeMUI.xml
7682. MD5: 070b01fbe9f691c002dfb729c9770823
7683. SHA1: ba0f854e5ec4810ef4cab70365219a4449090039
7684. 3728 6387
7685. File
7686. Close
7687.  
7688. C:\MSOCache\All Users\{90120000-0115-0409-0000-0000000FF1CE}-C\OfficeMUI.xml
7689. MD5: 5d296d937f0f4a26e3c495f758777d1a
7690. SHA1: 99c61a98132b64a58796dfa557105de889c06ea4
7691. 3728 6400
7692. File
7693. Hide
7694.  
7695. C:\Documents and Settings\All Users\Application Data\System32\xfs
7696. MD5: 29d6881402caf7e553b5335a2d9bb161
7697. SHA1: a544250d8725b1263d0f11b5a5f0346b9a8035b8
7698. 3728 742
7699. Regkey
7700. Setval
7701.  
7702. \REGISTRY\MACHINE\SOFTWARE\System32\Configuration\"xcnt" = 4
7703. 3728
7704. 6 Repeated items skipped
7705. File
7706. Rename
7707.  
7708. Old Name: C:\MSOCache\All Users\{90120000-0115-0409-0000-0000000FF1CE}-C\OfficeMUI.xml
7709. New Name: C:\MSOCache\All Users\{90120000-0115-0409-0000-0000000FF1CE}-C\dAUHwYfk3SIwZYR4qhbLVjFaZB45QFe0y0+k-
7710. ypxh70=.4F3773E1C2AF79622E62.no_more_ransom
7711. Imagepath: C:\Documents and Settings\admin\Local Settings\Temp\factura.exe
7712. MD5: 5d296d937f0f4a26e3c495f758777d1a
7713. SHA1: 99c61a98132b64a58796dfa557105de889c06ea4
7714. 3728 6400
7715. API Call
7716.  
7717. API Name: Sleep Address: 0x0040de21
7718. Imagepath: C:\Documents and Settings\admin\Local Settings\Temp\factura.exe DLL Name: kernel32.dll
7719. 3728
7720. Regkey
7721. Setval
7722.  
7723. \REGISTRY\MACHINE\SOFTWARE\System32\Configuration\"xcnt" = 4
7724. 3728
7725. Regkey
7726. Setval
7727.  
7728. \REGISTRY\MACHINE\SOFTWARE\System32\Configuration\"xcnt" = 5
7729. 3728
7730. File
7731. Open
7732.  
7733. C:\MSOCache\All Users\{90120000-0115-0409-0000-0000000FF1CE}-C\branding.xml
7734. 3728 509007
7735. File
7736. Open
7737.  
7738. C:\Documents and Settings\All Users\Application Data\System32\xfs
7739. MD5: 29d6881402caf7e553b5335a2d9bb161
7740. SHA1: a544250d8725b1263d0f11b5a5f0346b9a8035b8
7741. 3728 742
7742. File
7743. Close
7744.  
7745. C:\Documents and Settings\All Users\Application Data\System32\xfs
7746. MD5: 6d2240cf059098ee1286d2672309d5c9
7747. SHA1: 2f77f555976d3454946f630a8dbc952463d8bdf2
7748. 3728 932
7749. ProcessTelemetryReport
7750.  
7751. Imagepath: C:\Documents and Settings\admin\Local Settings\Temp\factura.exe
7752. 3728
7753. File
7754. Hide
7755.  
7756. C:\Documents and Settings\All Users\Application Data\System32\xfs
7757. MD5: 6d2240cf059098ee1286d2672309d5c9
7758. SHA1: 2f77f555976d3454946f630a8dbc952463d8bdf2
7759. 3728 932
7760. Regkey
7761. Setval
7762.  
7763. \REGISTRY\MACHINE\SOFTWARE\System32\Configuration\"xcnt" = 5
7764. 3728
7765. 28 Repeated items skipped
7766. File
7767. Close
7768.  
7769. C:\MSOCache\All Users\{90120000-0115-0409-0000-0000000FF1CE}-C\branding.xml
7770. MD5: 5f38fbd6c81b774fed2b9e5ab9f3689f
7771. SHA1: c76d7ab3d0f2d9f394486d273b74ed0bc2460d61
7772. 3728 509391
7773. Regkey
7774. Setval
7775.  
7776. \REGISTRY\MACHINE\SOFTWARE\System32\Configuration\"xcnt" = 5
7777. 3728
7778. File
7779. Open
7780.  
7781. C:\MSOCache\All Users\{90120000-0115-0409-0000-0000000FF1CE}-C\branding.xml
7782. MD5: 5f38fbd6c81b774fed2b9e5ab9f3689f
7783. SHA1: c76d7ab3d0f2d9f394486d273b74ed0bc2460d61
7784. 3728 509391
7785. Regkey
7786. Setval
7787.  
7788. \REGISTRY\MACHINE\SOFTWARE\System32\Configuration\"xcnt" = 5
7789. 3728
7790. 16 Repeated items skipped
7791. File
7792. Close
7793.  
7794. C:\MSOCache\All Users\{90120000-0115-0409-0000-0000000FF1CE}-C\branding.xml
7795. MD5: 0bedb1aed513ed1625ae4728f6abeff1
7796. SHA1: 9b5f198b66c073b0e4ed17dd9b20ad245e700b6b
7797. 3728 509392
7798. Regkey
7799. Setval
7800.  
7801. \REGISTRY\MACHINE\SOFTWARE\System32\Configuration\"xcnt" = 5
7802. 3728
7803. 3 Repeated items skipped
7804. API Call
7805.  
7806. API Name: Sleep Address: 0x0040de21
7807. Imagepath: C:\Documents and Settings\admin\Local Settings\Temp\factura.exe DLL Name: kernel32.dll
7808. 3728
7809. Regkey
7810. Setval
7811.  
7812. \REGISTRY\MACHINE\SOFTWARE\System32\Configuration\"xcnt" = 5
7813. 3728
7814. 3 Repeated items skipped
7815. File
7816. Rename
7817.  
7818. Old Name: C:\MSOCache\All Users\{90120000-0115-0409-0000-0000000FF1CE}-C\branding.xml
7819. New Name: C:\MSOCache\All Users\{90120000-0115-0409-0000-0000000FF1CE}-C\5B7s1mKwxQV6IjC0KYnS3UiJaftOwiqXuAJnU
7820. cHeyzM=.4F3773E1C2AF79622E62.no_more_ransom
7821. Imagepath: C:\Documents and Settings\admin\Local Settings\Temp\factura.exe
7822. MD5: 0bedb1aed513ed1625ae4728f6abeff1
7823. SHA1: 9b5f198b66c073b0e4ed17dd9b20ad245e700b6b
7824. 3728 509392
7825. Regkey
7826. Setval
7827.  
7828. \REGISTRY\MACHINE\SOFTWARE\System32\Configuration\"xcnt" = 6
7829. 3728
7830. File
7831. Open
7832.  
7833. C:\Documents and Settings\All Users\Application Data\System32\xfs
7834. MD5: 6d2240cf059098ee1286d2672309d5c9
7835. SHA1: 2f77f555976d3454946f630a8dbc952463d8bdf2
7836. 3728 932
7837. File
7838. Close
7839.  
7840. C:\Documents and Settings\All Users\Application Data\System32\xfs
7841. MD5: ad51c6802f2b39833f203e535fb75491
7842. SHA1: 62614e7056efe54b51fb10c38cd233241b77bad1
7843. 3728 1120
7844. File
7845. Hide
7846.  
7847. C:\Documents and Settings\All Users\Application Data\System32\xfs
7848. MD5: ad51c6802f2b39833f203e535fb75491
7849. SHA1: 62614e7056efe54b51fb10c38cd233241b77bad1
7850. 3728 1120
7851. Regkey
7852. Setval
7853.  
7854. \REGISTRY\MACHINE\SOFTWARE\System32\Configuration\"xcnt" = 6
7855. 3728
7856. 11 Repeated items skipped
7857. File
7858. Open
7859.  
7860. C:\MSOCache\All Users\{90120000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.xml
7861. 3728 1459
7862. Regkey
7863. Setval
7864.  
7865. \REGISTRY\MACHINE\SOFTWARE\System32\Configuration\"xcnt" = 6
7866. 3728
7867. 15 Repeated items skipped
7868. File
7869. Close
7870.  
7871. C:\MSOCache\All Users\{90120000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.xml
7872. MD5: e16508f02b43d4a9264a91fa5502bc1e
7873. SHA1: ca0e4a56740f26af33271e5a95393a388ccff756
7874. 3728 1843
7875. Regkey
7876. Setval
7877.  
7878. \REGISTRY\MACHINE\SOFTWARE\System32\Configuration\"xcnt" = 6
7879. 3728
7880. 2 Repeated items skipped
7881. File
7882. Open
7883.  
7884. C:\MSOCache\All Users\{90120000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.xml
7885. MD5: e16508f02b43d4a9264a91fa5502bc1e
7886. SHA1: ca0e4a56740f26af33271e5a95393a388ccff756
7887. 3728 1843
7888. File
7889. Close
7890.  
7891. C:\MSOCache\All Users\{90120000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.xml
7892. MD5: 7e6b76d2cde4c6fdbc5881656d544362
7893. SHA1: 362fdb15c92193f5d9fd42ffe44ff3672cf49151
7894. 3728 1856
7895. Regkey
7896. Setval
7897.  
7898. \REGISTRY\MACHINE\SOFTWARE\System32\Configuration\"xcnt" = 6
7899. 3728
7900. 7 Repeated items skipped
7901. File
7902. Rename
7903.  
7904. Old Name: C:\MSOCache\All Users\{90120000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.xml
7905. New Name: C:\MSOCache\All Users\{90120000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\K5Wai+aK3surjjzsQuxdn-hOs6US
7906. OFWmJ9lUpRzi+Q4=.4F3773E1C2AF79622E62.no_more_ransom
7907. Imagepath: C:\Documents and Settings\admin\Local Settings\Temp\factura.exe
7908. MD5: 7e6b76d2cde4c6fdbc5881656d544362
7909. SHA1: 362fdb15c92193f5d9fd42ffe44ff3672cf49151
7910. 3728 1856
7911. Regkey
7912. Setval
7913.  
7914. \REGISTRY\MACHINE\SOFTWARE\System32\Configuration\"xcnt" = 7
7915. 3728
7916. File
7917. Open
7918.  
7919. C:\Documents and Settings\All Users\Application Data\System32\xfs
7920. MD5: ad51c6802f2b39833f203e535fb75491
7921. SHA1: 62614e7056efe54b51fb10c38cd233241b77bad1
7922. 3728 1120
7923. File
7924. Close
7925.  
7926. C:\Documents and Settings\All Users\Application Data\System32\xfs
7927. MD5: 7803af02e7e1c5aadddf50a12ecbf86c
7928. SHA1: 1cdd3c9ba24f1791c2f77c7a1856c6fdf0032465
7929. 3728 1320
7930. File
7931. Open
7932.  
7933. C:\MSOCache\All Users\{90120000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.xml
7934. 3728 1460
7935. File
7936. Hide
7937.  
7938. C:\Documents and Settings\All Users\Application Data\System32\xfs
7939. MD5: 7803af02e7e1c5aadddf50a12ecbf86c
7940. SHA1: 1cdd3c9ba24f1791c2f77c7a1856c6fdf0032465
7941. 3728 1320
7942. Regkey
7943. Setval
7944.  
7945. \REGISTRY\MACHINE\SOFTWARE\System32\Configuration\"xcnt" = 7
7946. 3728
7947. 4 Repeated items skipped
7948. File
7949. Close
7950.  
7951. C:\MSOCache\All Users\{90120000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.xml
7952. MD5: 9de64cba62c419401287f1530dae07c9
7953. SHA1: b17278cfcef6dfdbd5b3c08280be92c32a442ab4
7954. 3728 1844
7955. Regkey
7956. Setval
7957.  
7958. \REGISTRY\MACHINE\SOFTWARE\System32\Configuration\"xcnt" = 7
7959. 3728
7960. 2 Repeated items skipped
7961. File
7962. Open
7963.  
7964. C:\MSOCache\All Users\{90120000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.xml
7965. MD5: 9de64cba62c419401287f1530dae07c9
7966. SHA1: b17278cfcef6dfdbd5b3c08280be92c32a442ab4
7967. 3728 1844
7968. File
7969. Close
7970.  
7971. C:\MSOCache\All Users\{90120000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.xml
7972. MD5: c34e92cfe3bda1cd927384732e5830b3
7973. SHA1: 5f7e129a2796604c9e9b66112b2d7c3f77ba0ef2
7974. 3728 1856
7975. Regkey
7976. Setval
7977.  
7978. \REGISTRY\MACHINE\SOFTWARE\System32\Configuration\"xcnt" = 7
7979. 3728
7980. 7 Repeated items skipped
7981. File
7982. Rename
7983.  
7984. Old Name: C:\MSOCache\All Users\{90120000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.xml
7985. New Name: C:\MSOCache\All Users\{90120000-002C-0409-0000-0000000FF1CE}-C\Proof.es\hPbLH0WyPWeI7QFpiqVjivfK2svX
7986. dsGQjOBl1NyOhw4=.4F3773E1C2AF79622E62.no_more_ransom
7987. Imagepath: C:\Documents and Settings\admin\Local Settings\Temp\factura.exe
7988. MD5: c34e92cfe3bda1cd927384732e5830b3
7989. SHA1: 5f7e129a2796604c9e9b66112b2d7c3f77ba0ef2
7990. 3728 1856
7991. API Call
7992.  
7993. API Name: Sleep Address: 0x0040de21
7994. Imagepath: C:\Documents and Settings\admin\Local Settings\Temp\factura.exe DLL Name: kernel32.dll
7995. 3728
7996. File
7997. Open
7998.  
7999. C:\Documents and Settings\All Users\Application Data\System32\xfs
8000. MD5: 7803af02e7e1c5aadddf50a12ecbf86c
8001. SHA1: 1cdd3c9ba24f1791c2f77c7a1856c6fdf0032465
8002. 3728 1320
8003. File
8004. Close
8005.  
8006. C:\Documents and Settings\All Users\Application Data\System32\xfs
8007. MD5: 940126e4a32ba6613d92486fc48e2c65
8008. SHA1: 2539fe2fcf1492c57fa3ee09e9b59342120d11d4
8009. 3728 1520
8010. File
8011. Hide
8012.  
8013. C:\Documents and Settings\All Users\Application Data\System32\xfs
8014. MD5: 940126e4a32ba6613d92486fc48e2c65
8015. SHA1: 2539fe2fcf1492c57fa3ee09e9b59342120d11d4
8016. 3728 1520
8017. File
8018. Open
8019.  
8020. C:\MSOCache\All Users\{90120000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.xml
8021. 3728 1350
8022. File
8023. Close
8024.  
8025. C:\MSOCache\All Users\{90120000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.xml
8026. MD5: df68c1d0d04f14d4e0c21218362f78fa
8027. SHA1: e69ca8f51c57ff6cefe469110b8d0b35a12f5521
8028. 3728 1734
8029. File
8030. Open
8031.  
8032. C:\MSOCache\All Users\{90120000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.xml
8033. MD5: df68c1d0d04f14d4e0c21218362f78fa
8034. SHA1: e69ca8f51c57ff6cefe469110b8d0b35a12f5521
8035. 3728 1734
8036. File
8037. Close
8038.  
8039. C:\MSOCache\All Users\{90120000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.xml
8040. MD5: b409bd7e10f3a370916eed3600bac027
8041. SHA1: 512e08aa891bfc4ac7b65b7cb572a52a40695f8c
8042. 3728 1744
8043. File
8044. Rename
8045.  
8046. Old Name: C:\MSOCache\All Users\{90120000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.xml
8047. New Name: C:\MSOCache\All Users\{90120000-002C-0409-0000-0000000FF1CE}-C\Proof.en\UEUCF5aYo80+42hgcshX9r1PWTJh
8048. -42KDE6GCGI0VqY=.4F3773E1C2AF79622E62.no_more_ransom
8049. Imagepath: C:\Documents and Settings\admin\Local Settings\Temp\factura.exe
8050. MD5: b409bd7e10f3a370916eed3600bac027
8051. SHA1: 512e08aa891bfc4ac7b65b7cb572a52a40695f8c
8052. 3728 1744
8053. File
8054. Open
8055.  
8056. C:\MSOCache\All Users\{90120000-002C-0409-0000-0000000FF1CE}-C\Setup.xml
8057. 3728 5884
8058. File
8059. Open
8060.  
8061. C:\Documents and Settings\All Users\Application Data\System32\xfs
8062. MD5: 940126e4a32ba6613d92486fc48e2c65
8063. SHA1: 2539fe2fcf1492c57fa3ee09e9b59342120d11d4
8064. 3728 1520
8065. File
8066. Close
8067.  
8068. C:\Documents and Settings\All Users\Application Data\System32\xfs
8069. MD5: 1f5e8f24654b230fd5018091adf26c21
8070. SHA1: a9b4a3e7301660453ed15670c2aaa548817ee0fd
8071. 3728 1720
8072. File
8073. Close
8074.  
8075. C:\MSOCache\All Users\{90120000-002C-0409-0000-0000000FF1CE}-C\Setup.xml
8076. MD5: 6eee90ce2e4083c55dc6cd9f7fc08d0c
8077. SHA1: 3e0d027d2861b6569fc0d6c5e4f197997a7f8819
8078. 3728 6268
8079. File
8080. Hide
8081.  
8082. C:\Documents and Settings\All Users\Application Data\System32\xfs
8083. MD5: 1f5e8f24654b230fd5018091adf26c21
8084. SHA1: a9b4a3e7301660453ed15670c2aaa548817ee0fd
8085. 3728 1720
8086. File
8087. Open
8088.  
8089. C:\MSOCache\All Users\{90120000-002C-0409-0000-0000000FF1CE}-C\Setup.xml
8090. MD5: 6eee90ce2e4083c55dc6cd9f7fc08d0c
8091. SHA1: 3e0d027d2861b6569fc0d6c5e4f197997a7f8819
8092. 3728 6268
8093. File
8094. Close
8095.  
8096. C:\MSOCache\All Users\{90120000-002C-0409-0000-0000000FF1CE}-C\Setup.xml
8097. MD5: dc2345e8176d8a8a14de418af4cbeb91
8098. SHA1: fb962432bcc57c2388842a2878e922f3245e7c3d
8099. 3728 6272
8100. File
8101. Rename
8102.  
8103. Old Name: C:\MSOCache\All Users\{90120000-002C-0409-0000-0000000FF1CE}-C\Setup.xml
8104. New Name: C:\MSOCache\All Users\{90120000-002C-0409-0000-0000000FF1CE}-C\2jFEZub-kNhUofdW7aQMZnPaeycuIwBxMkdp1
8105. I21TcQ=.4F3773E1C2AF79622E62.no_more_ransom
8106. Imagepath: C:\Documents and Settings\admin\Local Settings\Temp\factura.exe
8107. MD5: dc2345e8176d8a8a14de418af4cbeb91
8108. SHA1: fb962432bcc57c2388842a2878e922f3245e7c3d
8109. 3728 6272
8110. File
8111. Open
8112.  
8113. C:\MSOCache\All Users\{90120000-002C-0409-0000-0000000FF1CE}-C\Proofing.xml
8114. 3728 813
8115. File
8116. Open
8117.  
8118. C:\Documents and Settings\All Users\Application Data\System32\xfs
8119. MD5: 1f5e8f24654b230fd5018091adf26c21
8120. SHA1: a9b4a3e7301660453ed15670c2aaa548817ee0fd
8121. 3728 1720
8122. File
8123. Close
8124.  
8125. C:\Documents and Settings\All Users\Application Data\System32\xfs
8126. MD5: c25de7981dc4c990696ab51451fbf8fb
8127. SHA1: 525b9082b94f67a7d7e297b7271928469d74566b
8128. 3728 1902
8129. File
8130. Close
8131.  
8132. C:\MSOCache\All Users\{90120000-002C-0409-0000-0000000FF1CE}-C\Proofing.xml
8133. MD5: 35b1d92672df1220ae323bd888669d6d
8134. SHA1: 285ba81b0f6fb9b30627759ed40219eee40a3ae9
8135. 3728 1197
8136. File
8137. Hide
8138.  
8139. C:\Documents and Settings\All Users\Application Data\System32\xfs
8140. MD5: c25de7981dc4c990696ab51451fbf8fb
8141. SHA1: 525b9082b94f67a7d7e297b7271928469d74566b
8142. 3728 1902
8143. File
8144. Open
8145.  
8146. C:\MSOCache\All Users\{90120000-002C-0409-0000-0000000FF1CE}-C\Proofing.xml
8147. MD5: 35b1d92672df1220ae323bd888669d6d
8148. SHA1: 285ba81b0f6fb9b30627759ed40219eee40a3ae9
8149. 3728 1197
8150. File
8151. Close
8152.  
8153. C:\MSOCache\All Users\{90120000-002C-0409-0000-0000000FF1CE}-C\Proofing.xml
8154. MD5: ee662580ebe0ac58488d8744ae996654
8155. SHA1: a0bee3175249b78beabe24c019d3e1ca61c6a194
8156. 3728 1200
8157. File
8158. Rename
8159.  
8160. Old Name: C:\MSOCache\All Users\{90120000-002C-0409-0000-0000000FF1CE}-C\Proofing.xml
8161. New Name: C:\MSOCache\All Users\{90120000-002C-0409-0000-0000000FF1CE}-C\+tmqgjz--OX8VY8O93nQfZ7llvlWOULdWsu9q
8162. tMFeAs=.4F3773E1C2AF79622E62.no_more_ransom
8163. Imagepath: C:\Documents and Settings\admin\Local Settings\Temp\factura.exe
8164. MD5: ee662580ebe0ac58488d8744ae996654
8165. SHA1: a0bee3175249b78beabe24c019d3e1ca61c6a194
8166. 3728 1200
8167. File
8168. Open
8169.  
8170. C:\Documents and Settings\All Users\Application Data\System32\xfs
8171. MD5: c25de7981dc4c990696ab51451fbf8fb
8172. SHA1: 525b9082b94f67a7d7e297b7271928469d74566b
8173. 3728 1902
8174. File
8175. Close
8176.  
8177. C:\Documents and Settings\All Users\Application Data\System32\xfs
8178. MD5: ed13264cda60f8409a0e3979451bfd79
8179. SHA1: 4afc9bdff1595151802cd32ad3ff2303382e088f
8180. 3728 2090
8181. File
8182. Hide
8183.  
8184. C:\Documents and Settings\All Users\Application Data\System32\xfs
8185. MD5: ed13264cda60f8409a0e3979451bfd79
8186. SHA1: 4afc9bdff1595151802cd32ad3ff2303382e088f
8187. 3728 2090
8188. File
8189. Open
8190.  
8191. C:\MSOCache\All Users\{90120000-001B-0409-0000-0000000FF1CE}-C\WordMUI.xml
8192. 3728 1798
8193. File
8194. Close
8195.  
8196. C:\MSOCache\All Users\{90120000-001B-0409-0000-0000000FF1CE}-C\WordMUI.xml
8197. MD5: ceac06b41fa39625c54f46de384d8de7
8198. SHA1: 867fc866ef7224620fb45e0279052f446d03c9cc
8199. 3728 2182
8200. API Call
8201.  
8202. API Name: Sleep Address: 0x0040de21
8203. Imagepath: C:\Documents and Settings\admin\Local Settings\Temp\factura.exe DLL Name: kernel32.dll
8204. 3728
8205. File
8206. Open
8207.  
8208. C:\MSOCache\All Users\{90120000-001B-0409-0000-0000000FF1CE}-C\WordMUI.xml
8209. MD5: ceac06b41fa39625c54f46de384d8de7
8210. SHA1: 867fc866ef7224620fb45e0279052f446d03c9cc
8211. 3728 2182
8212. File
8213. Close
8214.  
8215. C:\MSOCache\All Users\{90120000-001B-0409-0000-0000000FF1CE}-C\WordMUI.xml
8216. MD5: 108f8cbcba74b1868e18dcf8313e0ae7
8217. SHA1: 3b63574a1241b451e745c6dfda08ef5330068ec8
8218. 3728 2192
8219. File
8220. Rename
8221.  
8222. Old Name: C:\MSOCache\All Users\{90120000-001B-0409-0000-0000000FF1CE}-C\WordMUI.xml
8223. New Name: C:\MSOCache\All Users\{90120000-001B-0409-0000-0000000FF1CE}-C\NPDRxRGfuWLc4YyCttqjRu7c37RG7moH+Uz2B
8224. BPL3o4=.4F3773E1C2AF79622E62.no_more_ransom
8225. Imagepath: C:\Documents and Settings\admin\Local Settings\Temp\factura.exe
8226. MD5: 108f8cbcba74b1868e18dcf8313e0ae7
8227. SHA1: 3b63574a1241b451e745c6dfda08ef5330068ec8
8228. 3728 2192
8229. File
8230. Open
8231.  
8232. C:\MSOCache\All Users\{90120000-001B-0409-0000-0000000FF1CE}-C\Setup.xml
8233. 3728 2678
8234. File
8235. Open
8236.  
8237. C:\Documents and Settings\All Users\Application Data\System32\xfs
8238. MD5: ed13264cda60f8409a0e3979451bfd79
8239. SHA1: 4afc9bdff1595151802cd32ad3ff2303382e088f
8240. 3728 2090
8241. File
8242. Close
8243.  
8244. C:\Documents and Settings\All Users\Application Data\System32\xfs
8245. MD5: 42f50ecb88c87b557cb7030c8617742e
8246. SHA1: ce7f0f71b96e929b8fae83c76cbea984b92bac02
8247. 3728 2276
8248. File
8249. Close
8250.  
8251. C:\MSOCache\All Users\{90120000-001B-0409-0000-0000000FF1CE}-C\Setup.xml
8252. MD5: 81850f130be03bb5d96652612e27bd19
8253. SHA1: bfd68b4d70791257a31b2b43ce6c0845d2b20ae7
8254. 3728 3062
8255. File
8256. Hide
8257.  
8258. C:\Documents and Settings\All Users\Application Data\System32\xfs
8259. MD5: 42f50ecb88c87b557cb7030c8617742e
8260. SHA1: ce7f0f71b96e929b8fae83c76cbea984b92bac02
8261. 3728 2276
8262. File
8263. Open
8264.  
8265. C:\MSOCache\All Users\{90120000-001B-0409-0000-0000000FF1CE}-C\Setup.xml
8266. MD5: 81850f130be03bb5d96652612e27bd19
8267. SHA1: bfd68b4d70791257a31b2b43ce6c0845d2b20ae7
8268. 3728 3062
8269. File
8270. Close
8271.  
8272. C:\MSOCache\All Users\{90120000-001B-0409-0000-0000000FF1CE}-C\Setup.xml
8273. MD5: 100276c983466d50393631f5d524dc8f
8274. SHA1: 162b0c03a3530cad36ebb78fdacbfa69fd6da299
8275. 3728 3072
8276. File
8277. Rename
8278.  
8279. Old Name: C:\MSOCache\All Users\{90120000-001B-0409-0000-0000000FF1CE}-C\Setup.xml
8280. New Name: C:\MSOCache\All Users\{90120000-001B-0409-0000-0000000FF1CE}-C\V6-v4fjcJiMhVgbT5pXf4cGo8VeeFihQWlRrc
8281. df3Ym0=.4F3773E1C2AF79622E62.no_more_ransom
8282. Imagepath: C:\Documents and Settings\admin\Local Settings\Temp\factura.exe
8283. MD5: 100276c983466d50393631f5d524dc8f
8284. SHA1: 162b0c03a3530cad36ebb78fdacbfa69fd6da299
8285. 3728 3072
8286. File
8287. Open
8288.  
8289. C:\Documents and Settings\All Users\Application Data\System32\xfs
8290. MD5: 42f50ecb88c87b557cb7030c8617742e
8291. SHA1: ce7f0f71b96e929b8fae83c76cbea984b92bac02
8292. 3728 2276
8293. File
8294. Close
8295.  
8296. C:\Documents and Settings\All Users\Application Data\System32\xfs
8297. MD5: 0e1be55567ced43ce4300e528343122d
8298. SHA1: 336e6a8baab9a77f989576a49211b8815c953179
8299. 3728 2458
8300. File
8301. Open
8302.  
8303. C:\MSOCache\All Users\{90120000-001A-0409-0000-0000000FF1CE}-C\Setup.xml
8304. 3728 3861
8305. File
8306. Hide
8307.  
8308. C:\Documents and Settings\All Users\Application Data\System32\xfs
8309. MD5: 0e1be55567ced43ce4300e528343122d
8310. SHA1: 336e6a8baab9a77f989576a49211b8815c953179
8311. 3728 2458
8312. File
8313. Close
8314.  
8315. C:\MSOCache\All Users\{90120000-001A-0409-0000-0000000FF1CE}-C\Setup.xml
8316. MD5: a0ac55d038533309ff1c05457377edf4
8317. SHA1: 33280b32277cb2d7331aefaeae88bf0e38ce500f
8318. 3728 4245
8319. File
8320. Open
8321.  
8322. C:\MSOCache\All Users\{90120000-001A-0409-0000-0000000FF1CE}-C\Setup.xml
8323. MD5: a0ac55d038533309ff1c05457377edf4
8324. SHA1: 33280b32277cb2d7331aefaeae88bf0e38ce500f
8325. 3728 4245
8326. File
8327. Close
8328.  
8329. C:\MSOCache\All Users\{90120000-001A-0409-0000-0000000FF1CE}-C\Setup.xml
8330. MD5: 9a8fe5019cc6a4ea5bf18ddeff42e562
8331. SHA1: f4f8a75364e4b925ec6d8c5704632c230f1c23f6
8332. 3728 4256
8333. File
8334. Rename
8335.  
8336. Old Name: C:\MSOCache\All Users\{90120000-001A-0409-0000-0000000FF1CE}-C\Setup.xml
8337. New Name: C:\MSOCache\All Users\{90120000-001A-0409-0000-0000000FF1CE}-C\ofjhwmbngehiwyu2Z+NKLAEJCTWJnPyGGqCuw
8338. 3wA5e8=.4F3773E1C2AF79622E62.no_more_ransom
8339. Imagepath: C:\Documents and Settings\admin\Local Settings\Temp\factura.exe
8340. MD5: 9a8fe5019cc6a4ea5bf18ddeff42e562
8341. SHA1: f4f8a75364e4b925ec6d8c5704632c230f1c23f6
8342. 3728 4256
8343. File
8344. Open
8345.  
8346. C:\MSOCache\All Users\{90120000-001A-0409-0000-0000000FF1CE}-C\OutlookMUI.xml
8347. 3728 2945
8348. File
8349. Open
8350.  
8351. C:\Documents and Settings\All Users\Application Data\System32\xfs
8352. MD5: 0e1be55567ced43ce4300e528343122d
8353. SHA1: 336e6a8baab9a77f989576a49211b8815c953179
8354. 3728 2458
8355. File
8356. Close
8357.  
8358. C:\Documents and Settings\All Users\Application Data\System32\xfs
8359. MD5: 7b3e4ae96366e55872aaf0ce3add12e8
8360. SHA1: d249b66143545c76193f66bd308dcb8d50160a01
8361. 3728 2640
8362. File
8363. Close
8364.  
8365. C:\MSOCache\All Users\{90120000-001A-0409-0000-0000000FF1CE}-C\OutlookMUI.xml
8366. MD5: 64e040e7e94342b63bb1d26f4b39f77a
8367. SHA1: 4700f9045c60913f6688be89704c96d91cca55f5
8368. 3728 3329
8369. File
8370. Hide
8371.  
8372. C:\Documents and Settings\All Users\Application Data\System32\xfs
8373. MD5: 7b3e4ae96366e55872aaf0ce3add12e8
8374. SHA1: d249b66143545c76193f66bd308dcb8d50160a01
8375. 3728 2640
8376. File
8377. Open
8378.  
8379. C:\MSOCache\All Users\{90120000-001A-0409-0000-0000000FF1CE}-C\OutlookMUI.xml
8380. MD5: 64e040e7e94342b63bb1d26f4b39f77a
8381. SHA1: 4700f9045c60913f6688be89704c96d91cca55f5
8382. 3728 3329
8383. File
8384. Close
8385.  
8386. C:\MSOCache\All Users\{90120000-001A-0409-0000-0000000FF1CE}-C\OutlookMUI.xml
8387. MD5: 4c34fd9e85ee5b2cee87c6cc5b7fa5ff
8388. SHA1: 314b26c29d4f2c0025b7841d81fee895973ccce3
8389. 3728 3344
8390. File
8391. Rename
8392.  
8393. Old Name: C:\MSOCache\All Users\{90120000-001A-0409-0000-0000000FF1CE}-C\OutlookMUI.xml
8394. New Name: C:\MSOCache\All Users\{90120000-001A-0409-0000-0000000FF1CE}-C\Zwet1MKSSC47QoUNmFF3SErMLNE+SokPcXP-R
8395. nIjmL0=.4F3773E1C2AF79622E62.no_more_ransom
8396. Imagepath: C:\Documents and Settings\admin\Local Settings\Temp\factura.exe
8397. MD5: 4c34fd9e85ee5b2cee87c6cc5b7fa5ff
8398. SHA1: 314b26c29d4f2c0025b7841d81fee895973ccce3
8399. 3728 3344
8400. API Call
8401.  
8402. API Name: Sleep Address: 0x0040de21
8403. Imagepath: C:\Documents and Settings\admin\Local Settings\Temp\factura.exe DLL Name: kernel32.dll
8404. 3728
8405. File
8406. Open
8407.  
8408. C:\Documents and Settings\All Users\Application Data\System32\xfs
8409. MD5: 7b3e4ae96366e55872aaf0ce3add12e8
8410. SHA1: d249b66143545c76193f66bd308dcb8d50160a01
8411. 3728 2640
8412. File
8413. Close
8414.  
8415. C:\Documents and Settings\All Users\Application Data\System32\xfs
8416. MD5: cdd2c2ab1528225f5eb66ab15217b51c
8417. SHA1: 1141bea48b82dd4205d251987e21c29f50fdcf85
8418. 3728 2832
8419. File
8420. Open
8421.  
8422. C:\MSOCache\All Users\{90120000-0018-0409-0000-0000000FF1CE}-C\Setup.xml
8423. 3728 2004
8424. File
8425. Hide
8426.  
8427. C:\Documents and Settings\All Users\Application Data\System32\xfs
8428. MD5: cdd2c2ab1528225f5eb66ab15217b51c
8429. SHA1: 1141bea48b82dd4205d251987e21c29f50fdcf85
8430. 3728 2832
8431. File
8432. Close
8433.  
8434. C:\MSOCache\All Users\{90120000-0018-0409-0000-0000000FF1CE}-C\Setup.xml
8435. MD5: 98af4f37f73842461caa94064efa16d5
8436. SHA1: 5bbe777e79f8b25add9393e0148b9253ce1d2478
8437. 3728 2388
8438. File
8439. Open
8440.  
8441. C:\MSOCache\All Users\{90120000-0018-0409-0000-0000000FF1CE}-C\Setup.xml
8442. MD5: 98af4f37f73842461caa94064efa16d5
8443. SHA1: 5bbe777e79f8b25add9393e0148b9253ce1d2478
8444. 3728 2388
8445. File
8446. Close
8447.  
8448. C:\MSOCache\All Users\{90120000-0018-0409-0000-0000000FF1CE}-C\Setup.xml
8449. MD5: 2a3419ead6f80ae4139ef2fdf938c80a
8450. SHA1: 6a329f6f08fcbd00b521b0b5003baff3c3892add
8451. 3728 2400
8452. File
8453. Rename
8454.  
8455. Old Name: C:\MSOCache\All Users\{90120000-0018-0409-0000-0000000FF1CE}-C\Setup.xml
8456. New Name: C:\MSOCache\All Users\{90120000-0018-0409-0000-0000000FF1CE}-C\bPPbLhFgRjCtT0S895Cuc+g+UZqJUJDseRGZX
8457. GH6Jdc=.4F3773E1C2AF79622E62.no_more_ransom
8458. Imagepath: C:\Documents and Settings\admin\Local Settings\Temp\factura.exe
8459. MD5: 2a3419ead6f80ae4139ef2fdf938c80a
8460. SHA1: 6a329f6f08fcbd00b521b0b5003baff3c3892add
8461. 3728 2400
8462. File
8463. Open
8464.  
8465. C:\MSOCache\All Users\{90120000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.xml
8466. 3728 1553
8467. File
8468. Close
8469.  
8470. C:\MSOCache\All Users\{90120000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.xml
8471. MD5: a599dfcba50f044bf3aa1dc96d1b4844
8472. SHA1: 9aa3bd6aa2346fac581c64674e0c584ff4a0fd93
8473. 3728 1937
8474. File
8475. Open
8476.  
8477. C:\Documents and Settings\All Users\Application Data\System32\xfs
8478. MD5: cdd2c2ab1528225f5eb66ab15217b51c
8479. SHA1: 1141bea48b82dd4205d251987e21c29f50fdcf85
8480. 3728 2832
8481. File
8482. Close
8483.  
8484. C:\Documents and Settings\All Users\Application Data\System32\xfs
8485. MD5: bff3d858cabf0dc3c26a2a423f5b2c02
8486. SHA1: daec0afe00cea7f03c1c2a136bb4b0b4f7885dab
8487. 3728 3014
8488. File
8489. Open
8490.  
8491. C:\MSOCache\All Users\{90120000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.xml
8492. MD5: a599dfcba50f044bf3aa1dc96d1b4844
8493. SHA1: 9aa3bd6aa2346fac581c64674e0c584ff4a0fd93
8494. 3728 1937
8495. File
8496. Hide
8497.  
8498. C:\Documents and Settings\All Users\Application Data\System32\xfs
8499. MD5: bff3d858cabf0dc3c26a2a423f5b2c02
8500. SHA1: daec0afe00cea7f03c1c2a136bb4b0b4f7885dab
8501. 3728 3014
8502. File
8503. Close
8504.  
8505. C:\MSOCache\All Users\{90120000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.xml
8506. MD5: 9248ac29307fe8cb5cf50fa1be51ab14
8507. SHA1: 2cbcb9488c22e4ab0e0520956f02971412fc85b3
8508. 3728 1952
8509. File
8510. Rename
8511.  
8512. Old Name: C:\MSOCache\All Users\{90120000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.xml
8513. New Name: C:\MSOCache\All Users\{90120000-0018-0409-0000-0000000FF1CE}-C\6rYu-ij2l9oH5dv-NeaTNJtDAkhlywM0rGFWu
8514. IODgbCFGFCzA2ar5Sc4gYdx6gb+.4F3773E1C2AF79622E62.no_more_ransom
8515. Imagepath: C:\Documents and Settings\admin\Local Settings\Temp\factura.exe
8516. MD5: 9248ac29307fe8cb5cf50fa1be51ab14
8517. SHA1: 2cbcb9488c22e4ab0e0520956f02971412fc85b3
8518. 3728 1952
8519. File
8520. Open
8521.  
8522. C:\MSOCache\All Users\{90120000-0016-0409-0000-0000000FF1CE}-C\Setup.xml
8523. 3728 2527
8524. File
8525. Open
8526.  
8527. C:\Documents and Settings\All Users\Application Data\System32\xfs
8528. MD5: bff3d858cabf0dc3c26a2a423f5b2c02
8529. SHA1: daec0afe00cea7f03c1c2a136bb4b0b4f7885dab
8530. 3728 3014
8531. File
8532. Close
8533.  
8534. C:\Documents and Settings\All Users\Application Data\System32\xfs
8535. MD5: 4e70f78399bd8e53dac1db7ec3f4ddfe
8536. SHA1: 4aaf0335ea79a0d3f2533a17ee2d4d65d2b2e3e8
8537. 3728 3212
8538. File
8539. Hide
8540.  
8541. C:\Documents and Settings\All Users\Application Data\System32\xfs
8542. MD5: 4e70f78399bd8e53dac1db7ec3f4ddfe
8543. SHA1: 4aaf0335ea79a0d3f2533a17ee2d4d65d2b2e3e8
8544. 3728 3212
8545. File
8546. Close
8547.  
8548. C:\MSOCache\All Users\{90120000-0016-0409-0000-0000000FF1CE}-C\Setup.xml
8549. MD5: 6e3e8bbd84a897b0c17058c314c3083e
8550. SHA1: fe6a6b1d8647367ac649eb0e694ff53f570b0297
8551. 3728 2911
8552. File
8553. Open
8554.  
8555. C:\MSOCache\All Users\{90120000-0016-0409-0000-0000000FF1CE}-C\Setup.xml
8556. MD5: 6e3e8bbd84a897b0c17058c314c3083e
8557. SHA1: fe6a6b1d8647367ac649eb0e694ff53f570b0297
8558. 3728 2911
8559. File
8560. Close
8561.  
8562. C:\MSOCache\All Users\{90120000-0016-0409-0000-0000000FF1CE}-C\Setup.xml
8563. MD5: 64d901602242327f67f0a04169a4866f
8564. SHA1: e591551448800c495f404bf88d6d1f975cdbcc2c
8565. 3728 2912
8566. File
8567. Rename
8568.  
8569. Old Name: C:\MSOCache\All Users\{90120000-0016-0409-0000-0000000FF1CE}-C\Setup.xml
8570. New Name: C:\MSOCache\All Users\{90120000-0016-0409-0000-0000000FF1CE}-C\yc8YQ728mR64G7aTrQgwC0QoDFIwAOWsSLeT-
8571. qgsBzk=.4F3773E1C2AF79622E62.no_more_ransom
8572. Imagepath: C:\Documents and Settings\admin\Local Settings\Temp\factura.exe
8573. MD5: 64d901602242327f67f0a04169a4866f
8574. SHA1: e591551448800c495f404bf88d6d1f975cdbcc2c
8575. 3728 2912
8576. API Call
8577.  
8578. API Name: Sleep Address: 0x0040de21
8579. Imagepath: C:\Documents and Settings\admin\Local Settings\Temp\factura.exe DLL Name: kernel32.dll
8580. 3728
8581. File
8582. Open
8583.  
8584. C:\MSOCache\All Users\{90120000-0016-0409-0000-0000000FF1CE}-C\ExcelMUI.xml
8585. 3728 1801
8586. File
8587. Open
8588.  
8589. C:\Documents and Settings\All Users\Application Data\System32\xfs
8590. MD5: 4e70f78399bd8e53dac1db7ec3f4ddfe
8591. SHA1: 4aaf0335ea79a0d3f2533a17ee2d4d65d2b2e3e8
8592. 3728 3212
8593. File
8594. Close
8595.  
8596. C:\Documents and Settings\All Users\Application Data\System32\xfs
8597. MD5: 20705eec377567c6783ff1430d8422dc
8598. SHA1: 0a354fcf33c57c2ead76160463c437c576abdfa4
8599. 3728 3394
8600. File
8601. Close
8602.  
8603. C:\MSOCache\All Users\{90120000-0016-0409-0000-0000000FF1CE}-C\ExcelMUI.xml
8604. MD5: d00b8a4bdc248f0ef4e414d8d4479dda
8605. SHA1: 5f9e8e7d28151313ffdf1cad1e436b74884ee2a9
8606. 3728 2185
8607. File
8608. Hide
8609.  
8610. C:\Documents and Settings\All Users\Application Data\System32\xfs
8611. MD5: 20705eec377567c6783ff1430d8422dc
8612. SHA1: 0a354fcf33c57c2ead76160463c437c576abdfa4
8613. 3728 3394
8614. File
8615. Open
8616.  
8617. C:\MSOCache\All Users\{90120000-0016-0409-0000-0000000FF1CE}-C\ExcelMUI.xml
8618. MD5: d00b8a4bdc248f0ef4e414d8d4479dda
8619. SHA1: 5f9e8e7d28151313ffdf1cad1e436b74884ee2a9
8620. 3728 2185
8621. File
8622. Close
8623.  
8624. C:\MSOCache\All Users\{90120000-0016-0409-0000-0000000FF1CE}-C\ExcelMUI.xml
8625. MD5: b80d5daeb17e75022b9f2541218100ee
8626. SHA1: b6e57f833a98ae85aef2158d3ffd4eacf897050c
8627. 3728 2192
8628. File
8629. Rename
8630.  
8631. Old Name: C:\MSOCache\All Users\{90120000-0016-0409-0000-0000000FF1CE}-C\ExcelMUI.xml
8632. New Name: C:\MSOCache\All Users\{90120000-0016-0409-0000-0000000FF1CE}-C\CY6B4swVdFf3rlnS2B3k9CgHwG1OixXcDMx9K
8633. qZ7TjE=.4F3773E1C2AF79622E62.no_more_ransom
8634. Imagepath: C:\Documents and Settings\admin\Local Settings\Temp\factura.exe
8635. MD5: b80d5daeb17e75022b9f2541218100ee
8636. SHA1: b6e57f833a98ae85aef2158d3ffd4eacf897050c
8637. 3728 2192
8638. File
8639. Open
8640.  
8641. C:\Documents and Settings\All Users\Application Data\System32\xfs
8642. MD5: 20705eec377567c6783ff1430d8422dc
8643. SHA1: 0a354fcf33c57c2ead76160463c437c576abdfa4
8644. 3728 3394
8645. File
8646. Close
8647.  
8648. C:\Documents and Settings\All Users\Application Data\System32\xfs
8649. MD5: fb496f7fde0b270bb971c4a8d14f29b0
8650. SHA1: 000eb70b2060cbe19f701159824ccfece189eb63
8651. 3728 3582
8652. File
8653. Hide
8654.  
8655. C:\Documents and Settings\All Users\Application Data\System32\xfs
8656. MD5: fb496f7fde0b270bb971c4a8d14f29b0
8657. SHA1: 000eb70b2060cbe19f701159824ccfece189eb63
8658. 3728 3582
8659. File
8660. Open
8661.  
8662. C:\MSOCache\All Users\{90120000-0012-0000-0000-0000000FF1CE}-C\StandardWW.xml
8663. 3728 13115
8664. File
8665. Close
8666.  
8667. C:\MSOCache\All Users\{90120000-0012-0000-0000-0000000FF1CE}-C\StandardWW.xml
8668. MD5: 6cfc268348726af3fa1532496d3353ab
8669. SHA1: e07a1705d0d7faa7952e0ceffc3579f677d81135
8670. 3728 13499
8671. File
8672. Open
8673.  
8674. C:\MSOCache\All Users\{90120000-0012-0000-0000-0000000FF1CE}-C\StandardWW.xml
8675. MD5: 6cfc268348726af3fa1532496d3353ab
8676. SHA1: e07a1705d0d7faa7952e0ceffc3579f677d81135
8677. 3728 13499
8678. File
8679. Close
8680.  
8681. C:\MSOCache\All Users\{90120000-0012-0000-0000-0000000FF1CE}-C\StandardWW.xml
8682. MD5: 7609b4d2c02a6c0c6d7091141260e863
8683. SHA1: 30832ee4c3dd4bde917ac9ceac14e0180d00cfee
8684. 3728 13504
8685. File
8686. Rename
8687.  
8688. Old Name: C:\MSOCache\All Users\{90120000-0012-0000-0000-0000000FF1CE}-C\StandardWW.xml
8689. New Name: C:\MSOCache\All Users\{90120000-0012-0000-0000-0000000FF1CE}-C\XztWhexqsqrJFo4LWhpYJNrU3fmHQE-CP1q0y
8690. bV17Sk=.4F3773E1C2AF79622E62.no_more_ransom
8691. Imagepath: C:\Documents and Settings\admin\Local Settings\Temp\factura.exe
8692. MD5: 7609b4d2c02a6c0c6d7091141260e863
8693. SHA1: 30832ee4c3dd4bde917ac9ceac14e0180d00cfee
8694. 3728 13504
8695. File
8696. Open
8697.  
8698. C:\MSOCache\All Users\{90120000-0012-0000-0000-0000000FF1CE}-C\Setup.xml
8699. 3728 24033
8700. File
8701. Open
8702.  
8703. C:\Documents and Settings\All Users\Application Data\System32\xfs
8704. MD5: fb496f7fde0b270bb971c4a8d14f29b0
8705. SHA1: 000eb70b2060cbe19f701159824ccfece189eb63
8706. 3728 3582
8707. File
8708. Close
8709.  
8710. C:\Documents and Settings\All Users\Application Data\System32\xfs
8711. MD5: 22af9b69d520848e1e15f1d40fb3ca2d
8712. SHA1: 3fdd9752b83bd89d7110169c173984062eaa4530
8713. 3728 3774
8714. File
8715. Close
8716.  
8717. C:\MSOCache\All Users\{90120000-0012-0000-0000-0000000FF1CE}-C\Setup.xml
8718. MD5: a8e86cdbfcd7426b14b65608210b52da
8719. SHA1: 3c12c7c17776bac73bfbe80350e1ebd41c38bf10
8720. 3728 24417
8721. File
8722. Hide
8723.  
8724. C:\Documents and Settings\All Users\Application Data\System32\xfs
8725. MD5: 22af9b69d520848e1e15f1d40fb3ca2d
8726. SHA1: 3fdd9752b83bd89d7110169c173984062eaa4530
8727. 3728 3774
8728. File
8729. Open
8730.  
8731. C:\MSOCache\All Users\{90120000-0012-0000-0000-0000000FF1CE}-C\Setup.xml
8732. MD5: a8e86cdbfcd7426b14b65608210b52da
8733. SHA1: 3c12c7c17776bac73bfbe80350e1ebd41c38bf10
8734. 3728 24417
8735. File
8736. Close
8737.  
8738. C:\MSOCache\All Users\{90120000-0012-0000-0000-0000000FF1CE}-C\Setup.xml
8739. MD5: 69a4f8bc7570fa28679151a7635693af
8740. SHA1: 91f2a9935d9a5e157506b6397f32096d1c4f023e
8741. 3728 24432
8742. File
8743. Rename
8744.  
8745. Old Name: C:\MSOCache\All Users\{90120000-0012-0000-0000-0000000FF1CE}-C\Setup.xml
8746. New Name: C:\MSOCache\All Users\{90120000-0012-0000-0000-0000000FF1CE}-C\FrYj+cRG8lr9AOOxNJ2ZCD9FomiKhz+CcdywA
8747. SwS3VU=.4F3773E1C2AF79622E62.no_more_ransom
8748. Imagepath: C:\Documents and Settings\admin\Local Settings\Temp\factura.exe
8749. MD5: 69a4f8bc7570fa28679151a7635693af
8750. SHA1: 91f2a9935d9a5e157506b6397f32096d1c4f023e
8751. 3728 24432
8752. File
8753. Open
8754.  
8755. C:\MSOCache\All Users\{90120000-0012-0000-0000-0000000FF1CE}-C\Office64WW.xml
8756. 3728 2310
8757. API Call
8758.  
8759. API Name: Sleep Address: 0x0040de21
8760. Imagepath: C:\Documents and Settings\admin\Local Settings\Temp\factura.exe DLL Name: kernel32.dll
8761. 3728
8762. File
8763. Open
8764.  
8765. C:\Documents and Settings\All Users\Application Data\System32\xfs
8766. MD5: 22af9b69d520848e1e15f1d40fb3ca2d
8767. SHA1: 3fdd9752b83bd89d7110169c173984062eaa4530
8768. 3728 3774
8769. File
8770. Close
8771.  
8772. C:\Documents and Settings\All Users\Application Data\System32\xfs
8773. MD5: 66b051814baf02f3fe1107c302468386
8774. SHA1: dfe51efb6287ae42e9a4c48c3ccfee5d856c69d9
8775. 3728 3956
8776. File
8777. Close
8778.  
8779. C:\MSOCache\All Users\{90120000-0012-0000-0000-0000000FF1CE}-C\Office64WW.xml
8780. MD5: 14fc3b896b237a6f4643336504b3feb8
8781. SHA1: 19f4a70989b22b8ac30f405a3d4466e618d2ec5f
8782. 3728 2694
8783. File
8784. Hide
8785.  
8786. C:\Documents and Settings\All Users\Application Data\System32\xfs
8787. MD5: 66b051814baf02f3fe1107c302468386
8788. SHA1: dfe51efb6287ae42e9a4c48c3ccfee5d856c69d9
8789. 3728 3956
8790. File
8791. Open
8792.  
8793. C:\MSOCache\All Users\{90120000-0012-0000-0000-0000000FF1CE}-C\Office64WW.xml
8794. MD5: 14fc3b896b237a6f4643336504b3feb8
8795. SHA1: 19f4a70989b22b8ac30f405a3d4466e618d2ec5f
8796. 3728 2694
8797. File
8798. Close
8799.  
8800. C:\MSOCache\All Users\{90120000-0012-0000-0000-0000000FF1CE}-C\Office64WW.xml
8801. MD5: 1c47d1ef4e5878ba38147fb7c6f00518
8802. SHA1: 7f3335ccf3f7bc10f33bd901315d5c316a8491ad
8803. 3728 2704
8804. File
8805. Rename
8806.  
8807. Old Name: C:\MSOCache\All Users\{90120000-0012-0000-0000-0000000FF1CE}-C\Office64WW.xml
8808. New Name: C:\MSOCache\All Users\{90120000-0012-0000-0000-0000000FF1CE}-C\wG-GugL23H5H0mLOJZoedkauUAUKwv4PmAwhw
8809. RSCH2E=.4F3773E1C2AF79622E62.no_more_ransom
8810. Imagepath: C:\Documents and Settings\admin\Local Settings\Temp\factura.exe
8811. MD5: 1c47d1ef4e5878ba38147fb7c6f00518
8812. SHA1: 7f3335ccf3f7bc10f33bd901315d5c316a8491ad
8813. 3728 2704
8814. File
8815. Open
8816.  
8817. C:\Documents and Settings\All Users\Application Data\System32\xfs
8818. MD5: 66b051814baf02f3fe1107c302468386
8819. SHA1: dfe51efb6287ae42e9a4c48c3ccfee5d856c69d9
8820. 3728 3956
8821. File
8822. Close
8823.  
8824. C:\Documents and Settings\All Users\Application Data\System32\xfs
8825. MD5: 02a3e5015b04526b2949707d9fec9600
8826. SHA1: 6ad22bcbd9450ddea94355eb9db2b0eb9e8b3223
8827. 3728 4148
8828. File
8829. Hide
8830.  
8831. C:\Documents and Settings\All Users\Application Data\System32\xfs
8832. MD5: 02a3e5015b04526b2949707d9fec9600
8833. SHA1: 6ad22bcbd9450ddea94355eb9db2b0eb9e8b3223
8834. 3728 4148
8835. File
8836. Open
8837.  
8838. C:\MSOCache\All Users\{90120000-0010-0409-0000-0000000FF1CE}-C\Setup.xml
8839. 3728 1251
8840. File
8841. Close
8842.  
8843. C:\MSOCache\All Users\{90120000-0010-0409-0000-0000000FF1CE}-C\Setup.xml
8844. MD5: 04425146afa5b88969ce9d2af0b40ea0
8845. SHA1: d50a3cfd37df87cbdc6e5277ce5172d1769dc2aa
8846. 3728 1635
8847. File
8848. Open
8849.  
8850. C:\MSOCache\All Users\{90120000-0010-0409-0000-0000000FF1CE}-C\Setup.xml
8851. MD5: 04425146afa5b88969ce9d2af0b40ea0
8852. SHA1: d50a3cfd37df87cbdc6e5277ce5172d1769dc2aa
8853. 3728 1635
8854. File
8855. Close
8856.  
8857. C:\MSOCache\All Users\{90120000-0010-0409-0000-0000000FF1CE}-C\Setup.xml
8858. MD5: 36f028e51b43ffde6d5ebb907ade6a9a
8859. SHA1: 70ad07e12a7db1597a41dacef0aa7d6dde9fbed4
8860. 3728 1648
8861. File
8862. Rename
8863.  
8864. Old Name: C:\MSOCache\All Users\{90120000-0010-0409-0000-0000000FF1CE}-C\Setup.xml
8865. New Name: C:\MSOCache\All Users\{90120000-0010-0409-0000-0000000FF1CE}-C\xd6VBgZxiTY-zi8HmV-Q3zIgSrR-pAGi5xfTE
8866. 5WV6ag=.4F3773E1C2AF79622E62.no_more_ransom
8867. Imagepath: C:\Documents and Settings\admin\Local Settings\Temp\factura.exe
8868. MD5: 36f028e51b43ffde6d5ebb907ade6a9a
8869. SHA1: 70ad07e12a7db1597a41dacef0aa7d6dde9fbed4
8870. 3728 1648
8871. File
8872. Open
8873.  
8874. C:\MSOCache\All Users\{90120000-0010-0409-0000-0000000FF1CE}-C\RosebudMUI.xml
8875. 3728 811
8876. File
8877. Close
8878.  
8879. C:\MSOCache\All Users\{90120000-0010-0409-0000-0000000FF1CE}-C\RosebudMUI.xml
8880. MD5: 676c3ccde3811ffefa7a767b88ac7cdf
8881. SHA1: e40442233a3fbe117481748e84611db4aca79d9c
8882. 3728 1195
8883. File
8884. Open
8885.  
8886. C:\MSOCache\All Users\{90120000-0010-0409-0000-0000000FF1CE}-C\RosebudMUI.xml
8887. MD5: 676c3ccde3811ffefa7a767b88ac7cdf
8888. SHA1: e40442233a3fbe117481748e84611db4aca79d9c
8889. 3728 1195
8890. File
8891. Open
8892.  
8893. C:\Documents and Settings\All Users\Application Data\System32\xfs
8894. MD5: 02a3e5015b04526b2949707d9fec9600
8895. SHA1: 6ad22bcbd9450ddea94355eb9db2b0eb9e8b3223
8896. 3728 4148
8897. File
8898. Close
8899.  
8900. C:\Documents and Settings\All Users\Application Data\System32\xfs
8901. MD5: 5d94f54c8b5379921c3798fa4c946408
8902. SHA1: 10c2e5bf667c80de748d5b305d86edcc7c43d1f8
8903. 3728 4330
8904. File
8905. Close
8906.  
8907. C:\MSOCache\All Users\{90120000-0010-0409-0000-0000000FF1CE}-C\RosebudMUI.xml
8908. MD5: e0c3b4257b9222183a35a2fd97f3ba97
8909. SHA1: 54653f112c12f95a8d8c98a5ea8bb6720a802fba
8910. 3728 1200
8911. File
8912. Hide
8913.  
8914. C:\Documents and Settings\All Users\Application Data\System32\xfs
8915. MD5: 5d94f54c8b5379921c3798fa4c946408
8916. SHA1: 10c2e5bf667c80de748d5b305d86edcc7c43d1f8
8917. 3728 4330
8918. File
8919. Rename
8920.  
8921. Old Name: C:\MSOCache\All Users\{90120000-0010-0409-0000-0000000FF1CE}-C\RosebudMUI.xml
8922. New Name: C:\MSOCache\All Users\{90120000-0010-0409-0000-0000000FF1CE}-C\kLYsuU6+u2Eavb7csWANaB+1gvfw-bHy2cWlJ
8923. oJLMGo=.4F3773E1C2AF79622E62.no_more_ransom
8924. Imagepath: C:\Documents and Settings\admin\Local Settings\Temp\factura.exe
8925. MD5: e0c3b4257b9222183a35a2fd97f3ba97
8926. SHA1: 54653f112c12f95a8d8c98a5ea8bb6720a802fba
8927. 3728 1200
8928. File
8929. Find
8930.  
8931. C:\Documents and Settings\*
8932. 3728
8933. File
8934. Open
8935.  
8936. C:\Documents and Settings\All Users\Application Data\System32\xfs
8937. MD5: 5d94f54c8b5379921c3798fa4c946408
8938. SHA1: 10c2e5bf667c80de748d5b305d86edcc7c43d1f8
8939. 3728 4330
8940. File
8941. Close
8942.  
8943. C:\Documents and Settings\All Users\Application Data\System32\xfs
8944. MD5: a32308573e380f98e068df1d6d928a2d
8945. SHA1: 957472f55e482f6679a00919ed483d1cb932c1cc
8946. 3728 4522
8947. File
8948. Hide
8949.  
8950. C:\Documents and Settings\All Users\Application Data\System32\xfs
8951. MD5: a32308573e380f98e068df1d6d928a2d
8952. SHA1: 957472f55e482f6679a00919ed483d1cb932c1cc
8953. 3728 4522
8954. API Call
8955.  
8956. API Name: Sleep Address: 0x0040de21
8957. Imagepath: C:\Documents and Settings\admin\Local Settings\Temp\factura.exe DLL Name: kernel32.dll
8958. 3728
8959. File
8960. Failed
8961.  
8962. C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.
8963. dat.LOG
8964. 3728
8965. File
8966. Failed
8967.  
8968. C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.
8969. dat
8970. 3728
8971. Folder
8972. Open
8973.  
8974. C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Credentials
8975. 3728
8976. Folder
8977. Open
8978.  
8979. C:\Documents and Settings\NetworkService\Cookies
8980. 3728
8981. ProcessTelemetryReport
8982.  
8983. Imagepath: C:\Documents and Settings\admin\Local Settings\Temp\factura.exe
8984. 3728
8985. Folder
8986. Open
8987.  
8988. C:\Documents and Settings\NetworkService\Application Data\Microsoft\Credentials
8989. 3728
8990. File
8991. Failed
8992.  
8993. C:\Documents and Settings\NetworkService\ntuser.dat.LOG
8994. 3728
8995. File
8996. Failed
8997.  
8998. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat
8999. 3728
9000. File
9001. Failed
9002.  
9003. C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat
9004. 3728
9005. File
9006. Open
9007.  
9008. C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows Media\9.0\W
9009. MSDKNS.XML
9010. 3728 12784
9011. File
9012. Close
9013.  
9014. C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows Media\9.0\W
9015. MSDKNS.XML
9016. MD5: cb355036d1a682979930881289c32fe3
9017. SHA1: 11d85afdacb0324859b463338f01672ceada2711
9018. 3728 13168
9019. File
9020. Open
9021.  
9022. C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows Media\9.0\W
9023. MSDKNS.XML
9024. MD5: cb355036d1a682979930881289c32fe3
9025. SHA1: 11d85afdacb0324859b463338f01672ceada2711
9026. 3728 13168
9027. File
9028. Close
9029.  
9030. C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows Media\9.0\W
9031. MSDKNS.XML
9032. MD5: 0d1ed8a1fa5559ddd57be59ece651126
9033. SHA1: 0744fc825b402adc87b4adca04a360321d7a3aed
9034. 3728 13168
9035. File
9036. Rename
9037.  
9038. Old Name: C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows Media\9.0\W
9039. MSDKNS.XML
9040. New Name: C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows Media\9.0\c
9041. Q7Cpemiy8aZPUh-Ujh1EAZSBuYE2UgN4a3QITfhXfQ=.4F3773E1C2AF79622E62.no_more_ransom
9042. Imagepath: C:\Documents and Settings\admin\Local Settings\Temp\factura.exe
9043. MD5: 0d1ed8a1fa5559ddd57be59ece651126
9044. SHA1: 0744fc825b402adc87b4adca04a360321d7a3aed
9045. 3728 13168
9046. File
9047. Open
9048.  
9049. C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows Media\9.0\W
9050. MSDKNS.DTD
9051. 3728 498
9052. File
9053. Close
9054.  
9055. C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows Media\9.0\W
9056. MSDKNS.DTD
9057. MD5: 958839c0199cb4cdc04f8cbdb2657605
9058. SHA1: d37ea728584d85e6a13472c0e9aed63e05548c6e
9059. 3728 882
9060. File
9061. Open
9062.  
9063. C:\Documents and Settings\All Users\Application Data\System32\xfs
9064. MD5: a32308573e380f98e068df1d6d928a2d
9065. SHA1: 957472f55e482f6679a00919ed483d1cb932c1cc
9066. 3728 4522
9067. File
9068. Close
9069.  
9070. C:\Documents and Settings\All Users\Application Data\System32\xfs
9071. MD5: e1ec334809837b3ffe53ff91efa45c23
9072. SHA1: e87da2cc46babc65f6590875b97b5e043ca24e06
9073. 3728 4780
9074. File
9075. Open
9076.  
9077. C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows Media\9.0\W
9078. MSDKNS.DTD
9079. MD5: 958839c0199cb4cdc04f8cbdb2657605
9080. SHA1: d37ea728584d85e6a13472c0e9aed63e05548c6e
9081. 3728 882
9082. File
9083. Hide
9084.  
9085. C:\Documents and Settings\All Users\Application Data\System32\xfs
9086. MD5: e1ec334809837b3ffe53ff91efa45c23
9087. SHA1: e87da2cc46babc65f6590875b97b5e043ca24e06
9088. 3728 4780
9089. File
9090. Close
9091.  
9092. C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows Media\9.0\W
9093. MSDKNS.DTD
9094. MD5: a68a139e356e0671a99486f841f289dc
9095. SHA1: 71685760d6c6eea8ad2937e197365e41d3d646e1
9096. 3728 896
9097. File
9098. Rename
9099.  
9100. Old Name: C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows Media\9.0\W
9101. MSDKNS.DTD
9102. New Name: C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows Media\9.0\W
9103. DyM51Atr6pWnJVnDfbYZF6fG2NjHMHbLmSD6aYTN5E=.4F3773E1C2AF79622E62.no_more_ransom
9104. Imagepath: C:\Documents and Settings\admin\Local Settings\Temp\factura.exe
9105. MD5: a68a139e356e0671a99486f841f289dc
9106. SHA1: 71685760d6c6eea8ad2937e197365e41d3d646e1
9107. 3728 896
9108. File
9109. Failed
9110.  
9111. C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.da
9112. t.LOG
9113. 3728
9114. File
9115. Open
9116.  
9117. C:\Documents and Settings\All Users\Application Data\System32\xfs
9118. MD5: e1ec334809837b3ffe53ff91efa45c23
9119. SHA1: e87da2cc46babc65f6590875b97b5e043ca24e06
9120. 3728 4780
9121. File
9122. Close
9123.  
9124. C:\Documents and Settings\All Users\Application Data\System32\xfs
9125. MD5: 46d84d1d775ad4b13914982c0628bbc4
9126. SHA1: 1b9484595945b7f3a621001354e776778346f0c3
9127. 3728 5038
9128. File
9129. Hide
9130.  
9131. C:\Documents and Settings\All Users\Application Data\System32\xfs
9132. MD5: 46d84d1d775ad4b13914982c0628bbc4
9133. SHA1: 1b9484595945b7f3a621001354e776778346f0c3
9134. 3728 5038
9135. File
9136. Failed
9137.  
9138. C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.da
9139. t
9140. 3728
9141. Folder
9142. Open
9143.  
9144. C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Credentials
9145. 3728
9146. File
9147. Open
9148.  
9149. C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
9150. 3728 114232
9151. File
9152. Close
9153.  
9154. C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
9155. MD5: dc392415e495b0632a6c99950205c2d9
9156. SHA1: b3bf527827c9606a06af2f56bb732615c04b91b1
9157. 3728 114616
9158. File
9159. Open
9160.  
9161. C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
9162. MD5: dc392415e495b0632a6c99950205c2d9
9163. SHA1: b3bf527827c9606a06af2f56bb732615c04b91b1
9164. 3728 114616
9165. File
9166. Close
9167.  
9168. C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
9169. MD5: 1d781aef6f642af706e1756563e751b7
9170. SHA1: 5110b96bfa44c818fd4bdd45bb2081f097657cba
9171. 3728 114624
9172. File
9173. Rename
9174.  
9175. Old Name: C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
9176. New Name: C:\Documents and Settings\LocalService\Local Settings\Application Data\XPDwOv-JkqLjD1tNCEddfi3yYhNYf
9177. 52ZP9+NwdyrC7oHTprE48MoClk1r3He2iQ1.4F3773E1C2AF79622E62.no_more_ransom
9178. Imagepath: C:\Documents and Settings\admin\Local Settings\Temp\factura.exe
9179. MD5: 1d781aef6f642af706e1756563e751b7
9180. SHA1: 5110b96bfa44c818fd4bdd45bb2081f097657cba
9181. 3728 114624
9182. Folder
9183. Open
9184.  
9185. C:\Documents and Settings\LocalService\Cookies
9186. 3728
9187. File
9188. Failed
9189.  
9190. C:\Documents and Settings\LocalService\Cookies\index.dat
9191. 3728
9192. File
9193. Open
9194.  
9195. C:\Documents and Settings\All Users\Application Data\System32\xfs
9196. MD5: 46d84d1d775ad4b13914982c0628bbc4
9197. SHA1: 1b9484595945b7f3a621001354e776778346f0c3
9198. 3728 5038
9199. File
9200. Close
9201.  
9202. C:\Documents and Settings\All Users\Application Data\System32\xfs
9203. MD5: bce51e878b486b4fe34a7a1c8cd25f63
9204. SHA1: 6a10783a3621faf48ffd884be9244acef668157d
9205. 3728 5258
9206. File
9207. Hide
9208.  
9209. C:\Documents and Settings\All Users\Application Data\System32\xfs
9210. MD5: bce51e878b486b4fe34a7a1c8cd25f63
9211. SHA1: 6a10783a3621faf48ffd884be9244acef668157d
9212. 3728 5258
9213. Folder
9214. Open
9215.  
9216. C:\Documents and Settings\LocalService\Application Data\Microsoft\Credentials
9217. 3728
9218. File
9219. Failed
9220.  
9221. C:\Documents and Settings\LocalService\ntuser.dat.LOG
9222. 3728
9223. File
9224. Open
9225.  
9226. C:\Documents and Settings\Default User\Templates\wordpfct.wpd
9227. 3728 30
9228. File
9229. Close
9230.  
9231. C:\Documents and Settings\Default User\Templates\wordpfct.wpd
9232. MD5: 05150055dfad0f74be78c4ee75ee4930
9233. SHA1: 571b97adaa3eeddee8b465b2642b9c6d6dcd4870
9234. 3728 414
9235. File
9236. Open
9237.  
9238. C:\Documents and Settings\Default User\Templates\wordpfct.wpd
9239. MD5: 05150055dfad0f74be78c4ee75ee4930
9240. SHA1: 571b97adaa3eeddee8b465b2642b9c6d6dcd4870
9241. 3728 414
9242. File
9243. Close
9244.  
9245. C:\Documents and Settings\Default User\Templates\wordpfct.wpd
9246. MD5: 6bd0dbdb5334d6f91c65d55969201a16
9247. SHA1: cf49bffed65c1e363bf3bf620c1f5114a14da915
9248. 3728 416
9249. File
9250. Rename
9251.  
9252. Old Name: C:\Documents and Settings\Default User\Templates\wordpfct.wpd
9253. New Name: C:\Documents and Settings\Default User\Templates\8rzQr4e2qQSFw8IGMa7ggqwrM0a8mQ7PflQadi4lYVU=.4F3773
9254. E1C2AF79622E62.no_more_ransom
9255. Imagepath: C:\Documents and Settings\admin\Local Settings\Temp\factura.exe
9256. MD5: 6bd0dbdb5334d6f91c65d55969201a16
9257. SHA1: cf49bffed65c1e363bf3bf620c1f5114a14da915
9258. 3728 416
9259. File
9260. Open
9261.  
9262. C:\Documents and Settings\Default User\Templates\winword2.doc
9263. 3728 1769
9264. File
9265. Close
9266.  
9267. C:\Documents and Settings\Default User\Templates\winword2.doc
9268. MD5: 24d9d0912623cfe1eb155bfc1bb2096c
9269. SHA1: ca0c9e56d06d745fb7e0540bdcbb358dab48d25b
9270. 3728 2153
9271. File
9272. Open
9273.  
9274. C:\Documents and Settings\All Users\Application Data\System32\xfs
9275. MD5: bce51e878b486b4fe34a7a1c8cd25f63
9276. SHA1: 6a10783a3621faf48ffd884be9244acef668157d
9277. 3728 5258
9278. File
9279. Close
9280.  
9281. C:\Documents and Settings\All Users\Application Data\System32\xfs
9282. MD5: d189a2def54d1356d97f573457d73aa4
9283. SHA1: 960ec9e071ce70826c7c2df1f58454312253ef73
9284. 3728 5418
9285. File
9286. Open
9287.  
9288. C:\Documents and Settings\Default User\Templates\winword2.doc
9289. MD5: 24d9d0912623cfe1eb155bfc1bb2096c
9290. SHA1: ca0c9e56d06d745fb7e0540bdcbb358dab48d25b
9291. 3728 2153
9292. File
9293. Close
9294.  
9295. C:\Documents and Settings\Default User\Templates\winword2.doc
9296. MD5: 79444022092aac843f1f49ebbb35c43f
9297. SHA1: 8185a5b6c014cf239c6c82a8dd5007d509ba7478
9298. 3728 2160
9299. File
9300. Hide
9301.  
9302. C:\Documents and Settings\All Users\Application Data\System32\xfs
9303. MD5: d189a2def54d1356d97f573457d73aa4
9304. SHA1: 960ec9e071ce70826c7c2df1f58454312253ef73
9305. 3728 5418
9306. File
9307. Rename
9308.  
9309. Old Name: C:\Documents and Settings\Default User\Templates\winword2.doc
9310. New Name: C:\Documents and Settings\Default User\Templates\m4z6hnNG5Jzfea7EAbC+pSDSdnLGyGsT54xgmflTJrU=.4F3773
9311. E1C2AF79622E62.no_more_ransom
9312. Imagepath: C:\Documents and Settings\admin\Local Settings\Temp\factura.exe
9313. MD5: 79444022092aac843f1f49ebbb35c43f
9314. SHA1: 8185a5b6c014cf239c6c82a8dd5007d509ba7478
9315. 3728 2160
9316. File
9317. Open
9318.  
9319. C:\Documents and Settings\Default User\Templates\winword.doc
9320. 3728 4608
9321. File
9322. Close
9323.  
9324. C:\Documents and Settings\Default User\Templates\winword.doc
9325. MD5: b190e59303e28f295598f582b337407a
9326. SHA1: f0c06618c05075a7bc9f7860b17eae622a6468d9
9327. 3728 4992
9328. File
9329. Open
9330.  
9331. C:\Documents and Settings\All Users\Application Data\System32\xfs
9332. MD5: d189a2def54d1356d97f573457d73aa4
9333. SHA1: 960ec9e071ce70826c7c2df1f58454312253ef73
9334. 3728 5418
9335. File
9336. Close
9337.  
9338. C:\Documents and Settings\All Users\Application Data\System32\xfs
9339. MD5: 8fdc5ae8022f0184b0fe281193b2a31c
9340. SHA1: c78432ff05ab18a0e1c10ada1c66a5dd832335ef
9341. 3728 5578
9342. File
9343. Open
9344.  
9345. C:\Documents and Settings\Default User\Templates\winword.doc
9346. MD5: b190e59303e28f295598f582b337407a
9347. SHA1: f0c06618c05075a7bc9f7860b17eae622a6468d9
9348. 3728 4992
9349. File
9350. Close
9351.  
9352. C:\Documents and Settings\Default User\Templates\winword.doc
9353. MD5: 27783ec3ba48bfc8b4c5c832b04d5e86
9354. SHA1: 7f93bc49483263eedcaf64eb9b95d12320be71c8
9355. 3728 4992
9356. File
9357. Hide
9358.  
9359. C:\Documents and Settings\All Users\Application Data\System32\xfs
9360. MD5: 8fdc5ae8022f0184b0fe281193b2a31c
9361. SHA1: c78432ff05ab18a0e1c10ada1c66a5dd832335ef
9362. 3728 5578
9363. File
9364. Rename
9365.  
9366. Old Name: C:\Documents and Settings\Default User\Templates\winword.doc
9367. New Name: C:\Documents and Settings\Default User\Templates\5I7iDxM4lfcLBdNUT9HQHtchUUXvTjrecxg7Fq3aGxM=.4F3773
9368. E1C2AF79622E62.no_more_ransom
9369. Imagepath: C:\Documents and Settings\admin\Local Settings\Temp\factura.exe
9370. MD5: 27783ec3ba48bfc8b4c5c832b04d5e86
9371. SHA1: 7f93bc49483263eedcaf64eb9b95d12320be71c8
9372. 3728 4992
9373. File
9374. Open
9375.  
9376. C:\Documents and Settings\Default User\Templates\sndrec.wav
9377. 3728 58
9378. 66 Repeated items skipped
9379. File
9380. Close
9381.  
9382. C:\Documents and Settings\Default User\Cookies\index.dat
9383. MD5: 9d9974dfca47938afbe1530c9901115d
9384. SHA1: d25ec728e02a9a7b22b76719190f4d2b3e1bfe09
9385. 3728 16768
9386. Folder
9387. Open
9388.  
9389. C:\Documents and Settings\Default User\Cookies
9390. 3728
9391. File
9392. Rename
9393.  
9394. Old Name: C:\Documents and Settings\Default User\Cookies\index.dat
9395. New Name: C:\Documents and Settings\Default User\Cookies\L9vFkdZbwYZBiCn42xwRNYmx30gqe0NXLZpl4xT5IyE=.4F3773E1
9396. C2AF79622E62.no_more_ransom
9397. Imagepath: C:\Documents and Settings\admin\Local Settings\Temp\factura.exe
9398. MD5: 9d9974dfca47938afbe1530c9901115d
9399. SHA1: d25ec728e02a9a7b22b76719190f4d2b3e1bfe09
9400. 3728 16768
9401. 34 Repeated items skipped
9402. File
9403. Close
9404.  
9405. C:\Documents and Settings\All Users\Application Data\System32\xfs
9406. MD5: f5da60a725287c8c41ecdf051a291833
9407. SHA1: 22a9766f266523818cb235a64ec4eb870b631676
9408. 3728 7856
9409. File
9410. Hide
9411.  
9412. C:\Documents and Settings\All Users\Application Data\System32\xfs
9413. MD5: f5da60a725287c8c41ecdf051a291833
9414. SHA1: 22a9766f266523818cb235a64ec4eb870b631676
9415. 3728 7856
9416. Ransom
9417.  
9418. C:\Documents and Settings\All Users\Documents\ykQab\zvLmin.doc
9419. MD5: a429f7e02827c5cb4549b687d134924b
9420.  
9421. Malicious Alert
9422. Ransomware
9423.  
9424. Message: Ransomware Activity
9425.  
9426. Malicious Alert
9427. Misc Anom
9428.  
9429. Message: Ransomware Activity
9430.  
9431. 1307 Repeated items skipped
9432. File
9433. Hide
9434.  
9435. C:\Documents and Settings\All Users\Application Data\System32\xfs
9436. MD5: 852acadfd45e6f53dd8f79e5d685d196
9437. SHA1: 009eaee6437acfa9658fb95ae58269834c3d92cf
9438. 3728 66036
9439. Regkey
9440. Setval
9441.  
9442. \REGISTRY\MACHINE\SOFTWARE\System32\Configuration\"xcnt" = 290
9443. 3728
9444. Malicious Alert
9445. Misc Anom
9446.  
9447. Message: System file created, modified, or overwritten
9448.  
9449. Malicious Alert
9450. Misc Anom
9451.  
9452. Message: Suspicious Persistence Behavior